Category Archives: vulnerability spotlight

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices.

Details


Denials Of Service


TALOS-2017-0354 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks ItemList Deserialization Denial of Service Vulnerability


Upon reception of data, the application attempts to unserialize the passed data. It recognizes a variety of data types, two of which are a string and an itemlist. The header of the sent data contains the length of an itemlist; by sending an invalid length the application will crash, resulting in a denial of service.

More details can be found in the vulnerability report:

TALOS-2017-0354

TALOS-2017-0362 (CVE-2017-2858) - Natus Xltek EEG NeuroWorks ItemList Traversal Denial of Service Vulnerability


Similar to the previous vulnerability, the application attempts on receipt of data to unserialize the data passed to it. If this data contains an empty itemlist, it will cause an access violation resulting in a denial of service in the application.

More details can be found in the vulnerability report:

TALOS-2017-0362

TALOS-2017-0364 (CVE-2017-2860) - Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial of Service Vulnerability


NeuroWorks handles a specific data structure named KeyTree. A KeyTree is a list of lists. The application assumes that the first element of a KeyTree is an ItemList. However, if the first element is a String data structure, a pointer can point to an invalid memory address, resulting in a denial of service condition.

More details can be found in the vulnerability report:

TALOS-2017-0364

Tested Versions:


Natus Xltek NeuroWorks 8

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43150,43192

Vulnerability Spotlight: Hyland Perceptive Document Filters Multiple Vulnerabilites

Vulnerabilities discovered by Marcin 'Icewall' Noga from Talos

Overview


Talos has discovered multiple vulnerabilities in Hyland Perceptive Document Filters software. This software is a toolkit that allows developers to read and extract metadata from a file. It supports a large set of common file formats. In addition to this the software is also capable of converting file formats.

We identified 4 vulnerabilities that allows an attacker to execute arbitrary code on the vulnerable systems. These vulnerabilities concerns the file conversion features.

The vulnerabilities can be exploited to locally execute code as well as remotely if the framework is used in batch mode by the owners. In this context, the malicious crafted document could be automatically handled by the toolkit and a successful exploitation could result full control of the vulnerable system. The vulnerable features can be used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into other format (for example easier to be parsed).



Details

Code Execution


TALOS-2018-0538 (CVE-2018-3855) - Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability


This vulnerability impacts the conversion of DOC document to HTML file. A specially crafted DOC file can lead to a stack based buffer overflow and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0538

TALOS-2018-0527 (CVE-2018-3844) - Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability


This vulnerability impacts the conversion of DOCX document to HTML file. A specially crafted DOCX file can lead to a use-after-free and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0527

TALOS-2018-0528 (CVE-2018-3845) - Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability


This vulnerability impacts the conversion of OpenDocument to JPEG file. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

More details can be found in the vulnerability report:

TALOS-2018-0528

TALOS-2018-0534 (CVE-2018-3851) - Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability


There is a vulnerability in the conversion process of a Microsoft Word (xml) to JPG, HTML5 and couple more formats. A specially crafted Microsoft Word (xml) file can lead to heap corruption and remote code execution.

More details can be found in the vulnerability report:

TALOS-2018-0534

Tested Versions:


Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux
Perceptive Document Filters 11.2.0.1732 - x86/x64 Windows/Linux

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 45689, 45690, 45717, 45718, 45750, 45751

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Overview

Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.  Update to the current version of Foxit PDF Reader.

Details

Vulnerabilities Discovered by Aleksandar Nikolic

TALOS-2017-0506

TALOS-2017-0506 / CVE-2017-14458 in an exploitable use-after-free vulnerability that exists specifically in the JavaScript engine of Foxit PDF Reader. When executing embedded JavaScript code, a document can be closed, which essentially frees up a lot of used objects, but the JavaScript can continue to execute. Taking advantage of this, a specially crafted PDF document can trigger a previously freed object in memory to be reused, which results in arbitrary code execution. There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0525

TALOS-2018-0525 / CVE-2018-3842 results from an exploitable use of an uninitialized pointer in the Javascript engine in the Foxit PDF Reader that can result in remote code execution. A specially craft PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0526

TALOS-2018-0526 / CVE-2018-3843 results from a type confusion vulnerability in the way Foxit PDF reader parses files with associated extensions. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0532

TALOS-2018-0532 / CVE-2018-3850 is a use-after-free vulnerability that exists in the Javascript engine of the Foxit PDF Reader. This specific vulnerability lies in the 'this.xfa.clone()' method, which results in a use-after-free condition. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0536

TALOS-2018-0536 / CVE-2018-3853 is a use-after-free vulnerability that exists in the JavaScript engine of the Foxit PDF Reader. The specific vulnerability lies in combinations of the 'createTemplate' and 'closeDoc' methods related to the JavaScript functionality of Foxit PDF Reader. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45158-45159, 45608-45609, 45652-45653, 45715-45716, 45823-45824





Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.


Vulnerability Details

TALOS-2017-0472 (CVE-2017-12120) Moxa EDR-810 Web Server ping Command Injection Vulnerability


TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the "/goform/net_WebPingGetValue" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0473 (CVE-2017-12121) Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability


TALOS-2017-0473 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0474 (CVE-2017-14435 to 14437) Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities


TALOS-2017-0474 describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.

TALOS-2017-0475 (CVE-2017-12123) Moxa EDR-810 Cleartext Transmission of Password Vulnerability


TALOS-2017-0475 is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator.

TALOS-2017-0476 (CVE-2017-12124) Moxa EDR-810 Web Server URI Denial of Service Vulnerability


TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.

TALOS-2017-0477 (CVE-2017-12125) Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability


TALOS-2017-0477 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.

TALOS-2017-0478 (CVE-2017-12126) Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability


TALOS-2017-0478 is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code.

TALOS-2017-0479 (CVE-2017-12127) Moxa EDR-810 Plaintext Password Storage Vulnerability


TALOS-2017-0479 is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext.

TALOS-2017-0480 (CVE-2017-12128) Moxa EDR-810 Server Agent Information Disclosure Vulnerability


TALOS-2017-0480 is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability.

TALOS-2017-0481 (CVE-2017-12129) Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability


TALOS-2017-0481 is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.

TALOS-2017-0482 (CVE-2017-14432 to 14434) Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities


TALOS-2017-0482 describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the "/goform/net_Web_get_value" uri to trigger this vulnerability.

TALOS-2017-0487 (CVE-2017-14438 and 14439) Moxa EDR-810 Service Agent Multiple Denial of Service


TALOS-2017-0487 describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:

http://www.talosintelligence.com/vulnerability-reports/

Affected versions


The discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product.

Discussion


Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.

Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.

One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks.

ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.

Cisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities.

Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers.

Coverage


The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

  • 31939, 40880, 44835-44837, 44840-44842, 44847-44852, 44855, 44858

Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities

Discovered by Lilith Wyatt of Cisco Talos

Overview



Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

TALOS-2018-0519  - Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability (CVE-2018-3837)



An exploitable vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0520 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability (CVE-2018-3838)



Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0521 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability (CVE-2018-3839)



Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Coverage



The following Snort rules will detect exploitation attempts. Note that additional rules may be

released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 45017-45018, 45599-45600,45605-45606

Vulnerability Spotlight: Multiple Computerinsel PhotoLine PSD Code Execution Vulnerabilities



Discovered by Tyler Bohan of Cisco Talos

Overview


Today, Cisco Talos is disclosing a vulnerability within Computerinsel PhotoLine's PSD-parsing functionality. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop, and is supported by many third-party applications throughout the industry.

The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the area of the crash.

TALOS-2018-0546 - Computerinsel Photoline TIFF Samples Per Pixel Parsing Code Execution Vulnerability (CVE-2018-3861)


A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0547 - Computerinsel Photoline TIFF Bits Per Pixel Parsing Code Execution Vulnerability (CVE-2018-3862)


A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0550 - Computerinsel Photoline PSD Blending Channels Code Execution Vulnerability (CVE-2018-0550)


A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel PhotoLine 20.53. A specially crafted PSD document processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0561 - Computerinsel Photoline PCX Decompress Code Execution Vulnerability (CVE-2018-3886)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0562 - Computerinsel Photoline PCX Run Length Code Execution Vulnerability (CVE-2018-3887)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0563 - Computerinsel Photoline PCX Color Map Code Execution Vulnerability (CVE-2018-3888)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0564 - Computerinsel Photoline PCX Bits Per Pixel Code Execution Vulnerability (CVE-2018-3889)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

Known vulnerable versions


Computerinsel PhotoLine 20.53 for OS X

(https://www.pl32.com)

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 39601-39632, 45997-46000, 46093-46094, 46222-46223, 46224-46225, 46143-46146, 46241-46242