Category Archives: remote code execution

‘Zip Slip’ Vulnerability Affects Thousands of Projects Across Many Ecosystems

Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems. Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices.

Details


Denials Of Service


TALOS-2017-0354 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks ItemList Deserialization Denial of Service Vulnerability


Upon reception of data, the application attempts to unserialize the passed data. It recognizes a variety of data types, two of which are a string and an itemlist. The header of the sent data contains the length of an itemlist; by sending an invalid length the application will crash, resulting in a denial of service.

More details can be found in the vulnerability report:

TALOS-2017-0354

TALOS-2017-0362 (CVE-2017-2858) - Natus Xltek EEG NeuroWorks ItemList Traversal Denial of Service Vulnerability


Similar to the previous vulnerability, the application attempts on receipt of data to unserialize the data passed to it. If this data contains an empty itemlist, it will cause an access violation resulting in a denial of service in the application.

More details can be found in the vulnerability report:

TALOS-2017-0362

TALOS-2017-0364 (CVE-2017-2860) - Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial of Service Vulnerability


NeuroWorks handles a specific data structure named KeyTree. A KeyTree is a list of lists. The application assumes that the first element of a KeyTree is an ItemList. However, if the first element is a String data structure, a pointer can point to an invalid memory address, resulting in a denial of service condition.

More details can be found in the vulnerability report:

TALOS-2017-0364

Tested Versions:


Natus Xltek NeuroWorks 8

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43150,43192

Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications. EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain

Hackers are exploiting a new zero-day flaw in GPON routers

Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild. Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day

Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability. Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious

Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks

A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system. The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems. Whenever your system joins a network, it’s the DHCP client

Adobe Releases Critical Security Updates for Acrobat, Reader and Photoshop CC

Adobe has just released new versions of its Acrobat DC, Reader and Photoshop CC for Windows and macOS users that patch 48 vulnerabilities in its software. A total of 47 vulnerabilities affect Adobe Acrobat and Reader applications, and one critical remote code execution flaw has been patched in Adobe Photoshop CC. Out of 47, Adobe Acrobat and Reader affect with 24 critical vulnerabilities—

Simple bug could lead to RCE flaw on apps built with Electron Framework

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers. Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio

Severe Bug Discovered in Signal Messaging App for Windows and Linux

Security researchers have discovered a severe vulnerability in the popular end-to-end encrypted Signal messaging app for Windows and Linux desktops which could allow remote attackers to execute malicious code on recipients system just by sending a message—without requiring any user interaction. Discovered by Alfredo Ortega, a software security consultant from Argentina, the vulnerability was

Microsoft Patches Two Zero-Day Flaws Under Active Attack

It's time to gear up for the latest May 2018 Patch Tuesday. Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs. In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity.

A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution

8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs

A team of security researchers has reportedly discovered a total of eight new "Spectre-class" vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well. Dubbed Spectre-Next Generation, or Spectre-NG, the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise,

Critical Vulnerability in Docker Tool for Windows Allows RCE; Patch Available

A recent vulnerability in the Windows Host Compute Service Shim (hcsshim) library that allows users to import Docker container images in Docker for Windows could have enabled remote code execution on the Windows host.

The open source hcsshim library was developed by Microsoft as a wrapper for use with its Host Compute Service (HCS).

The vulnerability is triggered because the hcsshim library used by a container management service does not properly validate input whenever a container image is imported, potentially triggering the execution of malicious code on the targeted machine.

“Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft,” wrote software developer Michael Hanselmann who reported the vulnerability. “Its use of Go’s filepath.Join function with unsanitized input allowed to create, remove and replace files in the host file system, leading to remote code execution. Importing a Docker container image or pulling one from a remote registry isn’t commonly expected to make modifications to the host file system outside of the Docker-internal data structures.”

Tagged as CVE-2018-8115, it has been dubbed critical by Microsoft, although the chances it would be exploited in the wild are seen as very low.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” reads the advisory. “An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”

While full technical details of the vulnerability have yet to be made available, Hanselmann did receive approval from Microsoft to release a proof-of-concept along with technical details on May 9.

The vulnerability has already been fixed with the release of hcsshim 0.6.10 and everyone using Docker for Windows is urged to get this latest version of the library.

Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers. Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers