SAP Resolves High Risk Flaws with February 2018 Patches
15.2.2018 securityweek Vulnerebility
SAP this week released its monthly set of security updates for its products, addressing a total of 11 new vulnerabilities, including two considered high severity.
Adding the number of patches released after the second Tuesday of January and before the second Tuesday of this month, along with updates to previously released patches, totals 26 Security Notes (5 high-, 19 medium- and 2 low-risk).
The Security Notes SAP released as part of the February 2018 Security Patch Day fix three cross-site scripting (XSS) flaws, two directory traversal issues, two missing authorization checks, two information disclosure bugs, one unrestricted file upload, and four other vulnerabilities, SAP says in an advisory.
The 11 new notes impact Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.
The updates for previous Security Notes include an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and an issue related to the handling of digitally signed notes in SAP Note Assistant.
When all of the Security Notes released since the second Tuesday of January are taken into consideration, missing authorization check emerges as the most common vulnerability type, with seven occurrences, followed by XSS at five. SAP also addressed four implementation flaws, three directory traversals, two SQL injections, one SSRF, one cross-site request forgery, and one denial-of-service.
The most severe of the issues is a missing authentication check in SAP NetWeaver System Landscape Directory (CVE-2018-2368), with a CVSS base score of 8.3. An attacker exploiting it could access a service without any authorization procedures, which could lead to information disclosure, privilege escalation and other attacks, explains ERPScan, a company specialized in securing SAP and Oracle products.
Another critical bug (CVE-2018-2395) addressed this month impacted SAP IGS, had a CVSS base score of 8.3, and consisted of several vulnerabilities: unrestricted file upload (CVE-2018-2395), DoS (CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384), XML external entity (XXE) (CVE-2018-2393, CVE-2018-2392), log injection (CVE-2018-2389), and information disclosure (CVE-2018-2382, CVE-2018-2387).
SAP also resolved several information disclosure bugs (CVSS base score: 7.1) in HANA Extended Application Services: CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372 and CVE-2018-2373. These could lead to sensitive data leaks, including HANA database usernames and passwords, reveals Onapsis, the company that reported the flaws.
“Two high Priority notes have been published in tandem this month (notes #1584573 and #1977547). These notes are a re-release of an old note published as far back as 2011. It concerns an SQL-injection vulnerability in the component BC-UPG,” Onapsis explains.
Other bugs addressed this month included a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6), a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6), and an information disclosure (CVE-2018-2369) in SAP HANA (CVSS base score: 5.3).
Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform
15.2.2018 securityweek Vulnerebility
Nine remotely exploitable vulnerabilities have been found in Dell EMC's Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.
"Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root," warns an advisory released today.
The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from 7.1.1.11 to 8.0.1.2 were found to be affected by two or more of the vulnerabilities. "Other products and versions might be affected, but they were not tested," states the advisory.
The Isilon web console contains several features that are vulnerable to cross-site request forgery. Since there are no anti-CSRF tokens in any forms on the web interface, an attacker can submit authenticated requests when an authenticated user browses an attacker-controlled domain. If social engineering can convince an authenticated user or administrator to visit a malicious website, embedded code could be executed to create a new user with elevated privileges, or execute arbitrary commands in the target system.
This is the first (CVE-2018-1213) of the nine vulnerabilities. Two privilege escalation vulnerabilities could then be used, once initial access has been achieved, to allow the attacker to run shell commands or arbitrary Python code with root privilege.
The first of these (CVE-2018-1203) is possible because of incorrect sudo permissions. "The compadmin user can run the tcpdump binary with root privileges via sudo," explains the advisory. "This allows for local privilege escalation, as tcpdump can be instructed to run shell commands when rotating capture files."
The second (CVE-2018-1204) is privilege escalation via remote support scripts. "As a cluster administrator or compadmin, it is possible to enable the remote support functionality, hence enabling the isi_phone_home tool via sudo," explain the researchers. "This tool is vulnerable to a path traversal when reading the script file to run, which would enable an attacker to execute arbitrary python code with root privileges."
The remaining six vulnerabilities are persistent cross-site scripting errors: in the cluster description; the Network Configuration page; the Authentication Providers page; the Antivirus page; the Job Operations page; and the NDMP page.
All nine vulnerabilities were responsibly disclosed to Dell EMC on 25 September 2017. At first (about one month later), Dell proposed an update schedule including June 2018. CoreLabs replied that this was unacceptable given "given current industry standards."
Dell reviewed its schedules, and confirmed that they would have a fix available by February 12, 2018. The two parties agreed to release details of the vulnerabilities and fixes on February 14. Dell's fixes are available from its support site today. Dell's own advisory will be posted to the Full Disclosure mailing list today. It had not been done at the time of writing this article.
Dell completed the acquisition of data storage firm EMC in September 2016 in a record $67 billion deal. In the same deal, Dell also acquired RSA.
Core Security merged with SecureAuth and raised more than $200 million from K1 Investment Management and Toba Capital in September 2017.
Windows Analytics Helps Assess Risk of Meltdown, Spectre Attacks
15.2.2018 securityweek Security
Microsoft is stepping up its efforts to help IT professionals better assess whether their Windows devices are protected against the industry-wide Meltdown and Spectre attack techniques.
Publicly detailed in the beginning of this year, the two attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Residing in the processors themselves, the bugs affect billions of devices.
Tech companies were informed on the bugs last year and worked hard on releasing both software and firmware mitigations, but some of the patches added instability and their delivery was stopped. Microsoft too decided to disable mitigations for one Spectre attack variation as systems became unstable.
After halting the initial patches several weeks ago, Intel recently rolled out new microcode updates to address one of the Spectre vulnerabilities in its Skylake processors. IBM, Oracle, and many other vendors rushed to push out patches for the bugs as well, and malware that abuses the vulnerabilities emerged as well.
Being hardware-based security vulnerabilities, Meltdown and Spectre represent a challenge for the entire industry, Microsoft says. Not only are updates required for both CPU microcode (firmware) and the operating system, but the anti-virus has to be compatible with the patches as well, at least on Windows.
To help IT professionals assess whether the Windows devices in their networks are protected against Spectre and Meltdown, Microsoft has added new capabilities to its free Windows Analytics service.
With the help of these new features, admins can access reports on the status of all Windows devices they manage, Terry Myerson, Executive Vice President, Windows and Devices Group, explains.
Now, admins can learn whether the anti-virus (AV) software is compatible with the required Windows OS updates, thus knowing whether it is safe or not to install the patches.
Furthermore, information on which Windows security update is running on a managed device and if any of these updates have been disabled is now available (IT administrators have the option to install the security update but disable the fix).
Now, Windows Analytics also offers details on the firmware installed on the device, providing information on whether the firmware includes the specific protections required. This insight, however, will be initially limited to the list of approved and available firmware security updates from Intel.
“We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft,” Myerson points out.
Windows Analytics is currently running on millions of devices, Microsoft says. The newly included capabilities will be available on all Windows 7 SP1, Windows 8.1 and Windows 10 devices running the service.
Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys
15.2.2018 securityaffairs Exploit
Bitmessage developers have issued an emergency update for the PyBitmessage client that patches a critical remote code execution vulnerability that has been exploited in attacks.
Bitmessage development team has rolled out an emergency patch to address a zero-day vulnerability in the PyBitmessage client for Bitmessage, which a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users.
The flaw is critical remote code execution vulnerability that according to the experts was being exploited in the wild to steal Bitcoin wallet keys.
According to the security advisory published by the development team developers, hackers exploited the flaw in attacks against users running PyBitmessage 0.6.2.
“A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2. If you run PyBitmessage via code, we highly recommend that you upgrade to 0.6.3.2. Alternatively you may downgrade to 0.6.1 which is unaffected.” reads the advisory.
The message encoding vulnerability has been patched with the release of version 0.6.3.2. The developers highlighted that PyBitmessage 0.6.1 is not affected by the vulnerability, this means that users can also downgrade their version to mitigate the attacks.
According to the security advisor, hackers targeted also the Bitmessage core developer Peter Šurda, his keys were most likely compromised for this reason he has created a new support address.
“Bitmessage developer Peter Šurda’s addresses are to be considered compromised.” continues the advisory.
Users are recommended to change their passwords and create new bitmessage keys.
Šurda speculates the attacker exploited the zero-day to create a remote shell and steal bitcoins from Electrum wallets.
“The exploit is triggered by a malicious message if you’re the recipient (including joined chans),”Šurda wrote on Reddit thread. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”
Bitmessage developers are still investigating the attacks.
Windows Analytics now includes Meltdown and Spectre detector
15.2.2018 securityaffairs Security
Good news for administrators of Windows systems, Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics.
Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics. The Meltdown-and-Spectre detector was available since Tuesday when Microsoft announced the new capabilities implemented in the free Windows Analytics service.
The new capabilities allow admin to monitor:
Anti-virus Status: Some anti-virus (AV) software may not be compatible with the required Windows Operating System updates. This status insight indicates if the devices’ anti-virus software is compatible with the latest Windows security update.
Windows Operating System Security Update Status: This Windows Analytics insight will indicate which Windows security update is running on any device and if any of these updates have been disabled. In some cases, IT Administrators may choose to install the security update, but disable the fix. Our complete list of Windows editions and security updates can be found in our Windows customer guidance article.
Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.
The check for the status of the Operating System could allow admins to verify if Meltdown and Spectre patched are correctly working.
The antivirus check allows admins to verify if the running AV is compatible with required Windows Operating System updates.
The check for firmware status currently works only for Intel chips.
Windows Analytics Meltdown Spectre
Meltdown-and-Spectre detector is available for Windows 7 through Windows 10 and requires that systems are running the February 2018 patch levels (Win7 SP1, KB2952664; Win8.1, KB2976978; and for Win10, KB4033631).
Critical Code Execution Flaws Patched in Android
14.2.2018 securityweek Android
Google this month addressed several critical severity remote code execution (RCE) vulnerabilities in the Android operating system.
Split in two parts, the Android Security Bulletin for February 2018 resolves only 26 vulnerabilities in the mobile operating system, most of which are rated high severity. The vast majority of the security issues are elevation of privilege (EoP) bugs.
A total of 7 issues were addressed with the 2018-02-01 security patch level, including 6 flaws in Media Framework and one vulnerability in the System component.
This month, Google addressed two critical RCE bugs in Media Framework: CVE-2017-13228, which impacts Android 6.0 and newer, and CVE-2017-13230, which impacts Android 5.1.1 and later (it is considered a high risk denial-of-service (DoS) flaw on Android 7.0 and newer).
Other issues addressed in Media Framework included an information disclosure vulnerability, an elevation of privilege bug, and several denial-of-service flaws.
By successfully exploiting the most severe of these vulnerabilities, an attacker could achieve remote code execution in the context of a privileged process. The issues could be abused via email, web browsing, and MMS when processing media files.
The vulnerability addressed in System (CVE-2017-13236) was an EoP bug that could allow a local malicious application to execute commands normally limited to privileged processes, Google explained in an advisory.
The 2018-02-05 security patch level includes fixes for 19 vulnerabilities in HTC, Kernel, NVIDIA, Qualcomm, and Qualcomm closed-source components.
The most severe of these issues are two remote code execution vulnerabilities in Qualcomm components (CVE-2017-15817 and CVE-2017-17760).
Except for an information disclosure in HTC components (bootloader) and an undisclosed bug type on Qualcomm closed-source components, the remaining issues were elevation of privilege vulnerabilities impacting components such as Media Framework, WLan, Graphics, Kernel, and Bootloader.
Google also released a separate set of patches to address 29 vulnerabilities as part of the Pixel / Nexus Security Bulletin for February 2018.
While most of these bugs were rated moderate severity, one critical remote code execution bug and one high risk denial-of-service issue (both only on Android 5.1.1, 6.0, and 6.0.1 releases and medium severity on Android 7.0 and up) slipped among them.
Impacted components included Media Framework, System, Kernel and Qualcomm. Most of the bugs were elevation of privilege and information disclosure vulnerabilities.
In addition to these security patches, Google included a series of functional improvements in the software updates for the Pixel devices.
Pepperl+Fuchs HMIs Vulnerable to Meltdown, Spectre Attacks
14.2.2018 securityweek Attack
Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.
The Germany-based industrial automation company said its VisuNet and Box Thin Client HMI devices rely on Intel CPUs, which makes them vulnerable to Meltdown and Spectre attacks. The list of affected products includes VisuNet RM, VisuNet PC, and Box Thin Client BTC.
Pepperl+Fuchs told CERT@VDE, the German counterpart of ICS-CERT, that the impacted devices are designed for use on industrial control systems (ICS) networks, and they should be isolated from the enterprise network and not directly accessible from the Internet.
“Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers,” CERT@VDE said in its advisory. “This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators.”
The vendor says these measures should greatly reduce the risk of attacks. However, if direct Internet access is allowed and a user is tricked into visiting a malicious website, an attacker may be able to execute arbitrary code and obtain data from the HMI device’s memory, including passwords.
Pepperl+Fuchs has released some updates that include the Windows patches for Meltdown and Spectre provided by Microsoft. However, the vendor has warned customers that the fixes could have a negative impact on performance and stability.
Both the patches from Intel and Microsoft have been known to cause problems, but the companies have been working on addressing existing issues.
Pepperl+Fuchs is not the only ICS vendor to inform customers that its products are vulnerable to Meltdown and Spectre attacks. Shortly after the flaws were disclosed, Rockwell Automation, Siemens, Schneider Electric and ABB published advisories on the topic.
More recently, advisories were also published by General Electric and Emerson, but the information is only available to customers that have registered an account on their websites.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access sensitive data stored in memory. Researchers warned recently that malicious actors appear to have already started working on malware designed to exploit the flaws.
Shooting Outside US NSA Headquarters, One Hurt
14.2.2018 securityweek BigBrothers
A shooting erupted Wednesday outside the suburban Washington headquarters of the National Security Agency, a secretive intelligence organization responsible for global US electronic eavesdropping, leaving at least one person injured, officials said.
NBC News aired aerial images of what appeared to be police surrounding a man on the ground in handcuffs outside the NSA facility in Fort Meade, Maryland.
A black SUV appeared to have crashed into a concrete barrier surrounding the site, and bullet holes were visible in the vehicle's front windows.
"We can confirm there has been one person injured and we don’t know how the injuries occurred," an NSA spokesman told AFP.
The local ABC affiliate put the number of injured at three and said a suspect was arrested.
The NSA said the situation was under control, advising motorists that a highway leading to the complex was closed in both direction "due to a police investigation."
"The president has been briefed on the shooting at Ft. Meade," the White House said in a statement. "Our thoughts and prayers are with everyone that has been affected."
A law enforcement source said the FBI's Baltimore office was handling the investigation but it was "too soon to tell" whether it was an attack.
They are "still trying to ascertain the facts," the source said.
Known as the "Puzzle Palace," the NSA is the nerve center for US electronic espionage as well as the main protector of US communications and information systems from cyber attack.
The agency was thrust into the spotlight in 2013 when former contractor Edward Snowden leaked details of its global surveillance programs, including its collection of data on Americans.
Snowden has been charged with violating the Espionage Act and theft of government property. He now lives in exile in Russia.
The NSA was the scene of a similar incident in March 2015 when police fired on an SUV, killing the driver and wounding a passenger after they failed to obey orders to stop at its heavily guarded entrance.
In that incident, the two men in the Ford SUV were dressed in women's clothes "but not in an attempt to disguise themselves from authorities," an FBI spokeswoman said at the time.
Security Awareness Training Top Priority for CISOs: Report
14.2.2018 securityweek Security
Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton's 1998 Presidential Decision Directive PDD 63.
The FS-ISAC's 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization's reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.
This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.
"I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components," he suggests. "Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training."
Dan Lohrmann, chief security officer at Security Mentor, agrees. "The mission-essential business aspects that end user security awareness training is now playing in global financial organizations must be front and center surrounding around all data handling and incident response." He recommends metrics-based training so that progress can be monitored.
The report finds no common reporting structure within financial organizations. Only 8% of CISOs report directly to the CEO. Sixty-six percent report to the CIO (39%), the CRO (14%) or the COO (13%). Despite these differences, there appears to be no impact on the frequency of reporting to the board of directors on cybersecurity.
Reporting most frequently occurs every three months (54% of CISOs). Eighteen percent report every six months, and 16% report annually. Only 6% report monthly.
There is no indication within the report on structural trends, which could provide an insight into the evolving role of the CISO. Greg Reber, CEO at AsTech, thinks this is an omission. "At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds," he explains. "CIOs may need to get things done quickly to realize financial goals -- moving processing to the cloud environments for example -- while CISOs are chiefly concerned with risk management."
He also notes a failure to comment on cyber risk insurance. "This falls into an 'event response' category, which we see as a top priority. However, it didn't appear in the top three responses in this survey." Reber equates 'cyber defense' with a Maginot Line philosophy, and believes resources should be balanced between defense and response.
"This report from FS-ISAC highlights the continued need for cyber awareness and vigilance from staff," comments Stephen Burke, founder and CEO at Cyber Risk Aware. "Hackers are great at exploiting human nature, using social engineering tactics to gain their victims' trust. Once they can get through defense and onto a user's machine they may use sophisticated methods to stealthily move laterally across a network stealing data or credentials."
FS-ISAC's recommendations to its members based on its survey findings is that staff training should be prioritized regardless of the reporting structure. "People can be the solution to these growing online risks, or they can be contributors to the growing level of security problems," says Lohrmann. "Effective security awareness training will enable the enterprise to successfully stop cyberattacks."
Venture and M&A
Security awareness firms have been the subject of significant funding and M&A transactions in recent months.
Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.
*Additional reporting by Mike Lennon
Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws
14.2.2018 securityaffairs Vulnerebility
Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.
Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.
The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook, and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.
One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.
“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.
“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.
Microsoft Patch Tuesday for February 2018
Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.
“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.
“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”
Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.
An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.
“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.
“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”
Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.
“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Users have to apply security patches as soon as possible.
Schneider Electric Patches Several Flaws in IGSS Products
14.2.2018 securityweek ICS
Schneider Electric informed customers recently that several vulnerabilities have been found in its IGSS automation product, including in the SCADA software and mobile applications.
Ivan Sanchez of Nullcode discovered that the IGSS SCADA software is affected by a configuration issue that leads to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) mitigations not being implemented properly.
The flaw, tracked as CVE-2017-9967 and classified as high severity, affects version 12 and earlier of the IGSS SCADA software. The issue has been addressed with the release of version 13.
Another advisory published recently by Schneider Electric describes two medium severity vulnerabilities discovered by researchers in the IGSS Mobile applications for Android and iOS.
One of the flaws, CVE-2017-9968, is related to the lack of certificate pinning when the apps establish a TLS/SSL connection, which makes it easier to launch man-in-the-middle (MitM) attacks.
The second weakness, CVE-2017-9969, allows an attacker to obtain app passwords and other potentially sensitive data from a configuration file, where the information is stored in clear text.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The security holes affect IGSS Mobile for Android and iOS versions 3.0 and prior, and they have been patched by Schneider with the release of version 3.1.1.
The IGSS Mobile vulnerabilities were discovered by researchers at IOActive and Embedi as part of a project that targeted SCADA mobile apps from 34 vendors.
In a report published last month, the companies revealed that flaws had been identified in a vast majority of the tested SCADA applications, including issues that can be exploited to influence industrial processes.
The project focused on Android applications, but Schneider Electric apparently determined that the iOS version of its IGSS app was also impacted by the vulnerabilities discovered by IOActive and Embedi researchers.
Schneider Electric also informed customers last week of a high severity remote code execution vulnerability affecting its StruxureOn Gateway product.
“Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution,” the vendor said in its advisory.
The flaw, tracked as CVE-2017-9970, affects StruxureOn Gateway 1.0.0 through 1.1.3 and it has been patched with the release of version 1.2.
Schneider Electric admitted recently that the Triton/Trisis malware, whose existence was brought to light in mid-December, exploited a zero-day vulnerability in the company’s Triconex Safety Instrumented System (SIS) controllers.
Zero-Day Attack Prompts Emergency Patch for Bitmessage Client
14.2.2018 securityweek Attack
An emergency update released on Tuesday for the PyBitmessage application patches a critical remote code execution vulnerability that has been exploited in attacks.
Bitmessage is a decentralized and trustless communications protocol that can be used for sending encrypted messages to one or multiple users. PyBitmessage is the official client for Bitmessage.
Bitmessage developers have issued a warning for a zero-day flaw that has been exploited against some users running PyBitmessage 0.6.2.
The security hole, described as a message encoding bug, has been patched with the release of version 0.6.3.2, but since PyBitmessage 0.6.1 is not affected by the flaw, downgrading is also an option for mitigating potential attacks.
Code patches were released on Tuesday, and binary files for Windows and macOS are expected to become available on Wednesday.
One of the individuals targeted in the zero-day attacks was Bitmessage core developer Peter Šurda. The developer told users not to contact him on his old address and admitted that his keys were most likely compromised. A new support address has been added to PyBitmessage 0.6.3.2.
“If you have a suspicion that your computer was compromised, please change all your passwords and create new bitmessage keys,” Surda said.
According to Šurda, the attacker exploited the vulnerability in an effort to create a remote shell and steal bitcoins from Electrum wallets.
“The exploit is triggered by a malicious message if you're the recipient (including joined chans),” the developer explained. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”
The investigation into these attacks is ongoing and Bitmessage developers have promised to share more information as it becomes available.
Bitmessage has become increasingly popular in the past years following reports that the U.S. National Security Agency and other intelligence agencies are conducting mass surveillance. While the protocol is often used by people looking to protect their privacy, it has also been leveraged by cybercriminals, including in ransomware attacks for communications between victims and the hackers.
DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits
14.2.2018 securityaffairs Exploit IoT
Security researchers spotted a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.
IoT devices continue to be a privileged target of cyber criminals, cyber attackers against so-called smart objects has seen a rapid evolution. Security researchers at NewSky Security (NewSky Security) have detected a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.
The analysis of the honeypot logs allowed the researchers to detect the new threat, it leverages two known backdoor exploits to manage two levels of authentications.
The first malicious code is the Juniper Networks SmartScreen OS exploit, it triggers the flaw CVE-2015–7755 to bypass the firewall authentication.
CVE-2015–7755 hardcoded backdoor affects the Juniper Networks’ ScreenOS software that powers their Netscreen firewalls.
“Essentially the telnet and SSH daemons of Netscreen firewalls can be accessed by using the hardcoded password <<< %s(un=’%s’) = %u with any username, regardless of it being valid or not.We saw its implementation in the initial attack cycle of DoubleDoor as it attacked our honeypots with username “netscreen” and the backdoor password.” wrote Ankit Anubhav, Principal Researcher, NewSky Security.
Once succeeded, the malicious code uses the CVE-2016–10401 Zyxel modem backdoor exploit to take full control over the IoT device.
The code is a privilege escalation exploit, “which is why the DoubleDoor attackers also performed a password based attack to get a basic privilege account like admin:CenturyL1nk before going for the superuser.”
“This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.” continues the expert.
The experts highlighted that differently from other IoT botnets like Satori or Masuta, the DoubleDoor botnet doesn’t use a unique string in the reconnaissance phase.
“after the threat actors have performed the attack, they want a confirmation whether they were successful of getting control of the IoT device. For this, they try to invoke the shell with invalid commands. If the attacker has succeeded, it will show “{string}: applet not found” where {string} is the invalid command.” observed the research.
“DoubleDoor botnet takes care of this, by using a randomized string in every attack”
The DoubleDoor botnet seems to be in an early stage, most of the attacks are originated from South Korean IPs.
The botnet includes the code to target a limited number of devices, it will succeed only if the victim has a specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.
“Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks.” concluded the experts.