ISSSource White Papers

Posts Tagged ‘Red Hat’

Wednesday, October 28, 2015 @ 01:10 PM gHale

An update released for the Network Time Protocol (NTP) to address a series of low and medium severity vulnerabilities reported by researchers from Cisco, Red Hat, IDA, Boston University, and Tenable Networks.

NTP is a protocol used to synchronize clocks between computer systems on a network. While NTP is highly useful, it also has had a series of security flaws, and it has often been the victim of distributed denial-of-service (DDoS) attacks.

Malware Growing by the Minute
Malware Masquerades as Chrome
Exploit Kit Evades Detection ‘On Fly’
Adobe Zero Day Under Attack

The latest update to NTP, ntp-4.2.8p4, patches 13 flaws, including denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite issues.

The only generally exploitable bug, with a CVSS score of 6.4, is a crypto-NAK issue (CVE-2015-7871) uncovered by researchers at Cisco, according to an advisory published by the NTP Project.

The vulnerability, which exists due to a logic error in the handling of certain crypto-NAK packets by the Network Time Protocol daemon (ntpd), can end up exploited by an unauthenticated off-path attacker to force ntpd processes to peer with malicious time sources in an effort to make changes to the system time.

Once they manage to change system time, attackers can authenticate to services using expired passwords and accounts, they can bypass web security mechanisms such as HTTP STS and certificate pinning, they can cause TLS clients to accept revoked and expired certificates, damage systems, deny service to authentication systems and services that use time-limited authentication tickets, and cause a negative impact on system performance by forcing caching systems like content delivery networks (CDNs) and DNS to flush caches.

“This vulnerability has been confirmed in ntp version 4.2.8p3. The vulnerable code path was introduced in ntp version 4.2.5p186 (late 2009). Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable,” Cisco said.

The networking giant is figuring out which of its products suffer from the vulnerabilities patched with the release of ntp-4.2.8p4. The company will then release software updates to patch the security holes.

After the NTP Project released the update addressing the vulnerabilities they discovered (CVE-2015-7704 and CVE-2015-7705), Boston University researchers published a paper detailing their findings.

The researchers detailed a method an on-path attacker can use to hijack traffic to the NTP server and change the time on its clients. They also described a technique an off-path attacker located anywhere on the targeted organization’s network can use to disable NTP synchronization via a low-rate denial-of-service attack.

According to Boston University researchers, an off-path attacker can also use IPv4 fragmentation to hijack the NTP connection between the client and server to alter time.

The impact of these vulnerabilities is generally similar to the attack scenarios described by Cisco. However, Boston University also described a scenario affecting the digital currency Bitcoin.

“Bitcoin is a digital currency that allows a decentralized network of node to arrive at a consensus on a distributed public ledger of transactions, aka ‘the blockchain’. The blockchain consists of timestamped ‘blocks’; bitcoin nodes use computational proofs-of-work to add blocks to the blockchain,” the researchers said in their paper. “Because blocks should be added to the blockchain according to their validity interval (about 2 hours), an NTP attacker can trick a victim into rejecting a legitimate block, or into wasting computational power on proofs-of-work for a stale block.”

An NTP server fragmentation vulnerability testing tool made available by Boston University allows organizations to check their configuration simply by entering their IP address or domain name.

Monday, July 27, 2015 @ 04:07 PM gHale

Red Hat patched two vulnerabilities related to the “libuser” library, which a local attacker could leverage to escalate to root privileges.

The libuser library provides an interface for manipulating and managing user and group accounts. The package is a default installation in Red Hat Enterprise Linux (RHEL) and other Linux distributions derived from the Red Hat codebase.

Mobile IE Zero Days
OS X Privilege Escalation Vulnerability
New Ransomware gets Tough
Insider Attacks Rise, Unaware of Risk

The vulnerabilities ended up discovered by researchers at security firm Qualys, who published a proof-of-concept (PoC) to show how the flaws can end up exploited.

The first security hole, which Red Hat has classified in an advisory as having “important” impact, is a race condition vulnerability (CVE-2015-3246). The issue is related to the idea libuser modifies the /etc/passwd file directly, unlike other programs (e.g. passwd, chfn, chsh) which work on a temporary copy of file later renamed. If something goes wrong with changes to the file, libuser could leave /etc/passwd in an inconsistent state, which can lead to a denial-of-service (DoS) condition.

The second vulnerability, rated “moderate,” affects the userhelper utility, which provides a basic interface for changing a user’s password, GECOS information, and shell.

The bug comes from the chfn function in userhelper, which does not properly filter out newline characters (CVE-2015-3245).

“The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters),” Red Hat said in its advisory. “Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.”

Just like CVE-2015-3246, this vulnerability can end up leveraged for DoS attacks. However, an attacker can combine CVE-2015-3245 and CVE-2015-3246 to achieve local privilege escalation to the root user.

Red Hat noted while the userhelper utility is part of the usermode package, the vulnerability ended up addressed with an update to the libuser library. The flaw ended up patched by ensuring libuser forbids the \n character.

The vulnerabilities affect all versions of the libuser library included in RHEL 6 and 7. Users should install the updated libuser packages.

Tuesday, May 20, 2014 @ 05:05 AM gHale

There is a flaw in the Linux kernel that could let a local user crash or run programs as an administrator.

Administrators running Ubuntu, some Red Hat systems, Debian, among others are moving to patch a moderately serious memory corruption flaw affecting the n_tty_write function in the Linux kernel up to 3.14.3.

Adobe Fixes Flash Zero Day
After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records

The “n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the “LECHO & !OPOST” case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings,” according to the US CERT release for CVE-2014-0196.

In UNIX/Linux parlance, TTY, derived from Teletype, refers to the command line interface terminal.

The race condition occurs in a feature introduced in 2009 that changed how “pty” — a pseudo tty — handled write buffering, one security researcher said.

“When two processes/threads write to the same pty, the buffer end could be overwritten and so memory corruption into adjacent buffers could lead to crashes / code execution,” the researcher said.

Only a local user can exploit the bug, however, the condition still may pose a risk for affected systems in shared server environments.

Red Hat is working on corrected kernel packages for Red Hat Enterprise Linux (RHEL) 6 and Red Hat Enterprise MRG 2 but has said that RHEL 5 is not affected. Debian has its available fixes and Ubuntu released details about its patches.

Wednesday, March 5, 2014 @ 03:03 PM gHale

A cryptographic bug similar to the one in iOS and OS X is in the GnuTLS code library, widely used in open source software and Linux distributions.

“The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” the Red Hat security team explained in a security advisory. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092).”

Apple Patches SSL Bug in OS X
iOS 7 Patched, Other Devices at Risk
Apps Lack of Security
Apple iOS Hijacking Bug

The flaw first came to light by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team during an audit of GnuTLS for Red Hat.

They found another bug in the way GnuTLS handled version 1 X.509 certificates, which could allow an attacker able to obtain such a certificate from a trusted CA to issue certificates for other sites accepted by GnuTLS as valid (CVE-2009-5138).

They patched the vulnerabilities and GnuTLS users should upgrade to the updated packages and to restart all applications linked to the GnuTLS library in order for the change to take effect.

Other projects have moved to fix the bug in this library, including Debian and Ubuntu, but hundreds of more applications and operating systems using it are yet to do so.

GnuTLS developers have also provided a new version of the library that fixes the issue and, as an alternative to it, a patch that temporarily mitigates it.

The flaw is pretty serious, as it could allow attackers to impersonate any web site and intercept and decode all the encrypted traffic that goes from end user to server and back.

Monday, November 25, 2013 @ 02:11 PM gHale

There is a vulnerability that compromises JBoss Java EE application servers that exposes the HTTP Invoker service to the Internet, researchers said.

In October, security researcher Andrea Micalizzi released an exploit for a vulnerability in products from multiple vendors including Hewlett-Packard, McAfee, Symantec and IBM that use 4.x and 5.x versions of JBoss. That vulnerability, CVE-2013-4810, allows unauthenticated attackers to install an arbitrary application on JBoss deployments that expose the EJBInvokerServlet or JMXInvokerServlet. Attackers are actively exploiting the vulnerability.

Silverlight Targeted by Exploit
Filling the Blackhole Void
Exploit Kit Replacement
Police Bust Blackhole Creator Suspect

Micalizzi’s exploit installs a Web shell application called pwn.jsp that can execute shell commands on the operating system via HTTP requests. The commands end up executed with the privileges of the OS user running JBoss, which in the case of some JBoss deployments can be a high privileged, administrative user.

Researchers from security firm Imperva found an increase in attacks against JBoss servers that used Micalizzi’s exploit to install the original pwn.jsp shell, but also a more complex Web shell called JspSpy.

Over 200 sites running on JBoss servers, including some that belong to governments and universities ended up hacked and infected with these Web shell applications, said Barry Shteiman, director of security strategy at Imperva.

The problem is actually bigger because the vulnerability described by Micalizzi stems from insecure default configurations that leave JBoss management interfaces and invokers exposed to unauthenticated attacks.

Shteiman said the number of JBoss servers with management interfaces exposed to the Internet has more than tripled since 2011, reaching over 23,000.

One reason for this increase is probably that people have not fully understood the risks associated with this issue and continue to deploy insecure JBoss installations, Shteiman said. Also, some vendors ship products with insecure JBoss configurations, like the products vulnerable to Micalizzi’s exploit, he said.

Red Hat developed JBoss, but they just renamed it WildFly. Its latest stable version is 7.1.1, but Shteiman said quite a few organizations still use JBoss 4.x and 5.x for compatibility reasons as they need to run old applications developed for those versions.

Those organizations should follow the instructions for securing their JBoss installations that are available on the JBoss Community website, he said.

The Red Hat Security Response Team said while CVE-2013-4810 refers to the exposure of unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces on HP ProCurve Manager, “These servlets are also exposed without authentication by default on older unsupported community releases of JBoss AS (WildFly) 4.x and 5.x. All supported Red Hat JBoss products that include the JMXInvokerServlet and EJBInvokerServlet interfaces apply authentication by default, and are not affected by this issue. Newer community releases of JBoss AS (WildFly) 7.x are also not affected by this issue.”

Friday, November 1, 2013 @ 05:11 PM gHale

There are three new partners for the Lockheed Martin’s Cyber Security Alliance.

Red Hat, FireEye and Splunk will work to develop intelligence-driven defense solutions.

High Schools Not Talking Security Careers
Job Security with Cyber Security
(ISC)2 Security Scholarship Winners
ICS Security Certification in Development

“The addition of three market-leading companies in the cyber security and data analytics marketplace will help us meet the challenges of today’s constantly evolving cyber threats using an intelligence-driven approach,” said Charlie Croom, vice president of Cyber Security Solutions at Lockheed Martin Information Systems & Global Solutions.

The goal of the Cyber Security Alliance is to integrate companies within the NexGen Cyber Innovation and Technology Center, a research, development and collaboration center.

In addition to FireEye, Red Hat and Splunk, the list of partners includes APC by Schneider Electric, Cisco, CA, ArcSight, Dell, Citrix, EMC and RSA, Intel, HP, McAfee, Juniper Networks, NetApp, Microsoft, Symantec, VMware, Verizon and Trustwave.

Lockheed Martin also unveiled Trusted Sentinel, a cyber security solution that enables organizations to securely share intelligence.

“In today’s complex cyber threat environment, protecting and securing our data is critical,” said Jim Quinn, vice president of C4ISR Systems for Lockheed Martin Information Systems & Global Solutions.

“Trusted Sentinel addresses the difficult challenge of sharing relevant information across security domains and between organizational echelons.”

Trusted Sentinel’s capabilities come from two of the company’s Cross Domain Solutions approved by the Unified Cross Domain Management Office (UCDMO). The UCDMO is an organization that provides coordination and oversight of cross-domain initiatives across the Department of Defense and the Intelligence Community.

Thursday, May 30, 2013 @ 04:05 PM gHale

A security hole that allows attackers to take control of the server is in Apache.

The vulnerability is in the do_rewritelog() log function of mod_rewrite.

Malware Backdoor in Targeted Attacks
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

This function insufficiently filters the data written to the log file. Attackers can potentially use specially crafted HTTP requests to inject escape sequences into the log file, which could possibly cause the server to execute commands without the administrator’s authorization when the log file ends up displayed in the terminal.

The 2.2.x versions of Apache are vulnerable, but other branches may also have the issue. Currently, the only way of mitigating the issue is to apply a patch.

For Red Hat Enterprise Linux users, the issue is under control and fixed in RHEL 5 and 6 updates.

Monday, September 10, 2012 @ 03:09 PM gHale

A virtual machine escape attack exploits the vulnerability in Xen hypervisors and allows an attacker within a guest virtual machine to escape to the host and execute code.

This new exploit would escalate an attacker’s local privileges to the most privileged domain, essentially giving the outsider control over the host and other guest VMs, said VUPEN researcher Jordan Gruskovnjak.

Pushdo Trojan a Master of Disguise
Warning: Google Alert Contains Trojan
Cross-Platform Trojan Steals Passwords
Crisis Malware Goes Virtual

The exploit targets a vulnerability reported in June that affects the way Intel processors implement error handling in the AMD SYSRET instruction. The vulnerability is in the instruction, and not the chip, US-CERT said in its June alert.

“The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier incorrectly uses the SYSRET path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application,” said the advisory for CVE-2012-0217.

The Xen Project, which manages the open source code, repaired the vulnerability in June, as did Citrix and other virtualization vendors such as Red Hat, Microsoft, Oracle, FreeBSD, NetBSD and SUSE Linux patched their respective products. Unpatched versions remain vulnerable.

VUPEN said it was able to exploit this vulnerability on a 64-bit Linux paravirtualized guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1. It cautions other versions are vulnerable as well. The attack is a local privilege escalation attack that targets the dom0 virtual machine, the most privileged domain. Dom0, VUPEN said, is the only VM by default having access to hardware, and from there can manipulate the hypervisor to launch unpriviledged domains.

“The strategy here will be to inject a dom0 root process with a bindshell (or reverse shell) payload in order to get a root shell from dom0,” Gruskovnjak said. “The same idea as in remote kernel exploitation will be used: Hijack the interrupt 0x80 syscall handler in order to wait for an interruption from dom0 to occur. When an interrupt is triggered from dom0, one is assured that dom0 virtual pages are mapped into memory.”

Tim Deegan, a computer scientist in England and one of the maintainers of the Xen hypervisor code, said it was interesting VUPEN would choose to inject code into dom0 rather than exploit the hypervisor privilege or elevate the privilege of the calling domain.

“I had imagined that an attacker would elevate the privilege of their malicious VM to and then map other VMs’ memory and CPU state directly, but that involves doing some work to understand the OS structures of the other VMs,” Deegan said. “Injecting a process into dom0 lets them just use the existing management toolstack to manipulate other VMs.”

Thursday, October 27, 2011 @ 05:10 PM gHale

A new worm is turning servers running older versions of the JBoss Application Server into botnet drones.

The malware behind the attack is significant because it targets servers rather than PCs and it relies on exploiting a vulnerability that is over a year old: A flaw in JBoss Application Server patched by Red Hat in April 2010. The worm’s payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines.

Looking for Duqu’s Real Target
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors

Marcus Carey, security researcher and community manager at Rapid7, said outsourcing practices had exacerbated the patching deficiencies the worm exploited.

“Many businesses outsource web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them,” Carey said.

“The use of this new malware associated with JBoss is something we have not seen before. However, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point,” he added.

The last edition of Microsoft’s Security Intelligence Report found exploits with a patch available for over a year accounted for 3.2 per cent of compromises. By comparison zero-day attacks were responsible for 0.12 per cent of malicious activity.

Friday, March 4, 2011 @ 04:03 PM gHale

Wireshark developers released version 1.2.15 and 1.4.4 of their open source, cross-platform network protocol analyzer; maintenance updates that address two highly critical security vulnerabilities that could cause the application to crash.

The first issue (CVE-2011-0538), discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team, could lead to memory corruption when reading a .pcap file in the pcap-ng format. A remote hacker could use this to effect a denial-of-service (DoS) attack. The other ( CVE-2011-0713) is a bug that could lead to a heap-based buffer overflow when reading a specially crafted Nokia DCT3 trace file, possibly leading to the execution of arbitrary code. Further changes include fixes for 32-bit systems when reading a malformed 6LoWPAN packet and updates to various dissectors. All users should update to the latest versions as soon as possible.

More details about the maintenance updates, including a full list of changes, can be found in the 1.2.15 and 1.4.4 release notes.

Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is available. Wireshark, formerly known as Ethereal, has a license under version 2 of the GNU General Public Licence (GPLv2).

Archived Entries