Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
5.2.2018 securityaffairs BigBrothers

The image of a memo leaked online suggests US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero,
US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan. The content reads:

SUBJECT: Additional resource request for ACC project

2nd Battalion’s joint NSA/CPT [Cyber Protection Team] anonymous cryptocurrency project needs additional support in the form of new hires and additional funding to meet GWOT [Global War On Terror] and drug interdiction objectives outlined in July’s Command update brief.
• Requesting authorization to add additional civilian consultants to the ACC project and to initiate their SCI investigations
• Requesting additional funds for class 7 and 9, amounts indicated in attached cost analysis worksheet.
The success we have had with Tor, I2P, and VPN cannot be replicated with those currencies that do not rely on nodes [?]. There is a growing trend in the employment of Stealth address and ring signatures that will require additional R&D. Please reference the weekly SITREP [SITuation REPort] ON SIPR for more details regarding the TTPs involved.
BLUF [Bottom Line, Up Front]: In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the CryptoNote code available for use in anonymous currencies.
Include this request for discussion at the next training meeting.
Point of contact for this memorandum is CW4 Henry, James P. at DSN (312)-780-2222.


NSA US army unmask Monero Tor I2P VPN

The memo explicitly refers to the difficulties in unmasking cryptocurrencies that are based on the CryptoNote that is an application layer protocol implemented in the scheme of several decentralized privacy oriented digital currencies.

The document requests the allocation of additional resources to track anonymous cryptocurrencies like Monero (XMR), Anonymous Electronic Online CoiN (AEON), DarkNet Coin (DNC), Fantomcoin (FCN), and Bytecoin (BCN).

The US authorities believe that Monero would become the main cryptocurrency in the criminal underground.

Researchers at DeepDotWeb verified the authenticity of Defense Switched Network (DSN) phone number listed for James P. Henry

“There is a Defense Switched Network (DSN) phone number listed for James P. Henry. When this DSN phone number was converted into a phone number that can be reached from the regular commercial phone network and called, the number was in fact the US Army’s Cyber Protection Brigade located in Fort Gordon, Georgia, just as the document purported to originate from.” states the blog post published by DeepDotWeb.

“While it is possible someone could have done a search for the Cyber Protection Brigade telephone number and used the conversion chart to recreate the DSN version of the phone number, it should be noted that the DSN phone number was not published on the internet prior to the release of this leak.”

DeepDotWeb requested comments from a Monero developer and others sources who were formerly in the Army, they all confirmed that the document appears to be authentic and its content plausible.

DeepDotWeb cited an anonymous source who is still serving in the US Army, that after analyzed the document said it was accurate.

Security experts believe that the US intelligence and military are using internal resources to conduct surveillance on blockchains.

It is still unclear who leaked the memo, someone speculates it was intentionally published with a deterrence purpose.

Tor, I2P, and VPNs are not completely compromised by the intelligence agency, persistent attackers have already proposed and implemented techniques to unmask users but that are not effective for dragnet surveillance.

Documents leaked by Edward Snowden revealed that the NSA is able to unmask VPN solutions based on vulnerable VPN protocols such as the PPTP, however, VPNs which rely on OpenVPN may not be compromised.

Don’t forget that anonymizing networks are essential to fight censorship and to ensure freedom of speech.

Looking at the photo it is possible to note above the laptop’s monitor, in the bottom right of the photo, a Common Access Card (CAC) that is a smart ID card used by the Department of Defense.

I believe it was intentionally put there with a diversionary intent.

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground
3.2.2018 securityaffairs

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.
Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
Large’ partners are able to increase their percentage of proceeds to 70 per cent
As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.
The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails
3.2.2018 securityaffairs

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.
Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

“The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/” reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

a third one was reported on Reddit by users:

The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.

UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine
3.2.2018 securityaffairs BigBrothers

Aiming to tackle threats from rogue nations and hackers The UK Government urges to boost security measures of services in critical sectors.
On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.

On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).

The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.

The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.

It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.

The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.

The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).

The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.

The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.



Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack
3.2.2018 securityaffairs BigBrothers

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Why are we all silent on the surveillance?
3.2.2018 securityaffairs BigBrothers

Silicon Valley with its bright minds has come to a point where almost every day they collect information about individuals. Why are we all silent on the surveillance?
NSA spying apart, what Facebook, Apple, and Google know about their usual users is quite overwhelming. Each of these major players is trying to find more about us. They even go to our friends, family and job network.

The big guns know when you are sad, happy, as well as your general internet spendings and many more.

Technology is changing so dramatically and has the power to find every bit of information about you. A perfect example of this is the Google Home Assistant or the new self-driving cars that shockingly knows where you want to go, or where’s your home.

In quick succession, step by step these big guys are creating probably the most invasive surveillance population in time.

It is quite worrisome how a group of known criminals hack them pretty often. Take Uber as an example; the ride-sharing firm is accused of getting hacked for multiple times – not just once or twice.

Californians, the world, and privacy

From all of this, you might think Californians are often talking about the privacy policy not only in most private sector, where is believed that law is more occasionally meeting with people.

But they actually talk in the private sector, where they have the protection of the 4th Amendment if they encounter problems as “unreasonable” searches.

I wish to have a talk at a coffee or a dinner with a tech investor and to ask him “What is your company doing with all the information?” For the moment, there is no possibility of a confrontation at this.

Even if California, for the USA, is the center of everything. As for technology, investors, the most brilliant minds, residents and elected officials are the targeted ones when it comes to the privacy policy. And, for sure, as in everything, there are exceptions.

I would love to see in the next US elections to prioritize this issue, or it can be an impactful subject in a ballot initiative.

Unfortunately, not so many exceptions for tech employees to feel human again. However, the one pushing is the employer, who digs deep into the privacy and enjoys it.


The idea to do good is far to be reached

As I stated above, California might encounter the most impactful debate regarding privacy in the whole world in coming future. Do you consider letting companies keep user data forever? To move in a way and change the terms of service, so they breach privacy?

Should they share information with governments? Would there be an option purge information after a while or to just request to anonymize? It’s an option for only a company to sell information and meanwhile, they discharge the debt in bankruptcy?

What obligation parents have regarding their children’s privacy? It is awkward how Instagram tracks kids’ behavior before reaching the age of consent. Should Instagram keep that information until they are adults?

A very out of date law from California gives us a glimpse of how out of date they are: prohibiting someone to record a phone call without the consent of the other party.

For sure it is not a bad law, however, restricts everyone just for the idea of privacy. Sadly, this rule is not applied since data is gathered without shame. We can imagine revenging porn laws that protect us from unauthorized shops from centerfolds.

All in all, we exposed ourselves to comprehensive, intrusive, relentless surveillance at our daily activities.

John Naughton an Irish academic affirmed, “and we have no idea what the long-term implications of this (surveillance) will be.”

Some end thoughts

Some of this is the threat when others are scared by the idea of imposed limits. Yet, people value privacy and having it updated can mean a better future. For sure it is impossible to stop privacy threats sometimes.

But in exchange shouldn’t we prioritize and make things better? Californians have a high position here, more than anyone, yet they haven’t made a bit of effort.

And of course, not just the ones living in California – we all, no one, should keep their voice low against the surveillance. Speak up!

Western Digital My Cloud flaws allows local attacker to gain root access to the devices
3.2.2018 securityaffairs

Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.
Researchers at Trustwave disclosed two new vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to delete files stored on devices or to execute shell commands as root.

The two Western Digital My Cloud flaws are an arbitrary command execution vulnerability and an arbitrary file deletion issue. The arbitrary command execution vulnerability affects the common gateway interface script “nas_sharing.cgi” that allows a local user to execute shell commands as root. Hardcoded credentials allows any users to authenticate to the device using the username “mydlinkBRionyg.”

“The first finding was discovering hardcoded administrator credentials in the nas_sharing.cgibinary. These credentials allow anyone to authenticate to the device with the username “mydlinkBRionyg”.” states the analysis published by Trustwave. “Considering how many devices are affected this is very serious one. Interestingly enough another researcher independently released details on the same issue less than a month ago.”

The arbitrary file deletion vulnerability is also tied to the common gateway interface script “nas_sharing.cgi”.

“Another problem I discovered in nas_sharing.cgi is that it allows any user execute shell commands as root. To exploit this issue the “artist” parameter can be used.” continues the analysis.

Western Digital My Cloud

Chaining the two flaws it is possible to execute commands as root, a local attacker could log in using the hardcoded credentials and executing a command that is passed inside the “artist” parameter using base64 encoding.

The Western Digital models affected are My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Trustwave reported the issues to Western Digital in 2017, according to the researchers the flaws are addressed with the firmware (version 2.30.172 ) update, released on Nov. 16, 2017.

“As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.” recommends Western Digital.

JenX botnet leverages Grand Theft Auto videogame community to infect devices
3.2.2018 securityaffairs BotNet

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.
Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

CVE-2014-8361 “Realtek SDK Miniigd UPnP SOAP Command Execution” vulnerability and related exploit.
CVE-2017–17215 “Huawei Router HG532 – Arbitrary Command Execution” vulnerability and related exploit.” states Radware in a blog post.
“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”

Japan Raids Hacked Crypto Exchange, Bitcoin Plunges Further
3.2.2018 securityweek Hacking
Japanese authorities on Friday raided virtual currency exchange Coincheck, a week after the Tokyo-based firm lost $530 million in cryptocurrency to hackers.

The raid comes as bitcoin dipped below $9,000 for the first time since November after India said Thursday it would take measures to prevent the use of cryptocurrencies.

The search of Coincheck's headquarters in Tokyo's Shibuya district was carried out by the Financial Services Agency, which had already slapped the company with an administrative order following the hack.

"We have launched an on-site inspection to ensure preservation of clients' assets," Finance Minister Taro Aso said at a briefing.

Japanese officials have suggested Coincheck lacked proper security measures, making itself vulnerable to theft.

The January 26 hack, which saw thieves syphon away 523 million units of the cryptocurrency NEM, exceeds the $480 million stolen in 2014 from another Japanese virtual currency exchange, MtGox.

Earlier this week, Japan's FSA gave Coincheck until February 13 to investigate the cause of the incident, "properly" deal with clients, strengthen risk management and take preventive measures.

Coincheck has said it will use its own funds to reimburse all 260,000 customers who lost holdings, at a rate of 88.549 yen per NEM.

The refund, which will be paid in yen, not virtual currency, will set the firm back about 46.3 billion yen ($422 million).

In the wake of the MtGox scandal, Japan passed a law on cryptocurrencies that requires exchanges to be regulated by the FSA. The law went into effect in 2017.

Coincheck had submitted an application to the FSA for a licence and was allowed to continue operating while it awaited a decision, the agency said.

Japan is a leading market for cryptocurrencies, with nearly a third of global bitcoin transactions in December denominated in yen, according to specialist website jpbitcoin.com.

Virtual currencies are popular elsewhere in Asia, including South Korea and China, but India's government on Thursday said it would crack down on their use.

Finance Minister Arun Jaitley, in his annual budget, said New Delhi would "take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system".

Bitcoin, which soared to nearly $20,000 a unit in December, was down at $8,800 on Friday, while other digital units such as Litecoin and Ethereum have also suffered massive losses from their recent peaks.

Kaspersky Patches Vulnerabilities in Secure Mail Gateway
3.2.2018 securityweek
Kaspersky Lab this week released an update for its Secure Mail Gateway to resolve a series of vulnerabilities that could lead to account takeover, code execution, and privilege escalation.

The Kaspersky Secure Mail Gateway is an integrated email system and security solution that comes bundled with anti-spam, anti-malware, and anti-phishing and deployed on a virtual appliance.

Core Security Technologies found four security flaws in Kaspersky’s product, including Cross-Site Request Forgery, Improper Neutralization of Special Elements in Output Used by a Downstream Component, Improper Privilege Management, and Improper Neutralization of Input during Web Page Generation.

A remote attacker could exploit these issues to gain command execution as root, Core Security's researchers say. The bugs were found in Kaspersky Secure Mail Gateway

Kaspersky Secure Mail Gateway comes with a Web Management Console to monitor the application status and manage operations, but has no cross-site request forgery protection site-wide, which could lead to administrative account takeover, Core Security's advisory noted.

An attacker could submit authenticated requests when an authenticated user browses an attacker-controlled domain, the researchers explain. Thus, a feature that allows users to restore a backup file that overwrites the appliance's configuration can be abused to overwrite the original passwd file and provide the attacker with admin access.

Furthermore, an attacker who accesses the Web Console could gain command execution as root through the injection of arbitrary content into the appliance's Postfix configuration.

The console makes it possible to add a "BCC Address for all Messages", a configuration parameter written verbatim to the appliance's Postfix main.cf configuration file. When adding LF characters to it, an attacker could inject a configuration parameter to execute arbitrary commands on the appliance as root.

This allows the attacker to execute any binary on the system, but can’t pass arguments to it. However, it is possible to overcome this by abusing another Web Console functionality to upload a Python script to the file system, the researchers discovered.

The third issue could allow an attacker to elevate privileges from kluser to root by abusing a setuid binary shipped with the appliance and execute a script on the attacker-controlled location with root privileges.

A reflected cross-site scripting flaw also impacts the Management Console. The issue resides in the callback parameter of the importSettings action method.

The security researchers reported the bugs to Kaspersky in early October 2017. On February 1, 2017, Kaspersky published an advisory to announce the patching of these issues in Kaspersky Secure Mail Gateway 1.1 MR1. Impacted customers are advised to upgrade to the new release as soon as possible.