Posts Tagged ‘vulnerability’
Wednesday, April 16, 2014 @ 10:04 AM gHale
Innominate released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products, according to a report on ICS-CERT.
This vulnerability, discovered by researcher Bob Radvanovsky of Infracritical, could end up exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.
mGuard firmware Versions 8.0.0 and 8.0.1 suffer from the issue.
mGuard firmware Versions 8.0.0 and 8.0.1 use the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the HeartBleed vulnerability.
Innominate is a Germany-based company that sells products worldwide through its international partners.
The affected products, the mGuard family of products, are industrial security routers. They are in critical infrastructure sectors, including communications, healthcare and public health, and critical manufacturing.
Because of the unpredictable memory layout of HTTPS communication, it is possible the private key of the mGuard web graphic user interface could end up disclosed. An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
All users of the affected mGuard firmware Versions 8.0.0 and 8.0.1 should upgrade to mGuard firmware Version 8.0.2. Innominate recommends users update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.
For more information regarding this vulnerability and specific instructions on how to install the latest firmware version, click on the Innominate Security Advisory.
Monday, April 14, 2014 @ 07:04 PM gHale
While most of the buzz surrounding OpenSSL’s Heartbleed vulnerability focused on websites and other servers, the SANS Institute said software running on PCs, tablets and more is just as vulnerable.
SANS Institute analyst Jake Williams said black hats knew about the data-leaking bug well before its public discovery and disclosure.
Williams – aka MalwareJake – said vulnerable OpenSSL installations on the client side can undergo attacks from malicious servers to extract passwords and cryptographic keys from users’ computers and gadgets, according to a report in The Register.
Williams said a dodgy server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve up to 64KB of highly sensitive data from the targeted system at a time. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, he said.
Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.
Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said, and noted that it’s going to be hard to identify vulnerabilities in some environments. For example, he said, it’s going to be hard to tell if Windows client programs compiled against vulnerable OpenSSL versions.
And that’s not to mention all the “non-port-443″ software that might end up compiled to vulnerable versions of OpenSSL — email servers, databases, LDAP services, and so on.
Williams also said the risk the vulnerability could reveal site certificates means if an attacker has previously recorded encrypted sessions, he or she will now be able to decrypt that traffic.
Worse, he said it’s also feasible what turns up in the leaked memory could give attackers hints at how to take the axe to other software, turning known bugs currently seen as “hard to exploit” into easy kills.
Another issue easily overlooked, he said, is in the cloud. If you’re running VMs in a cloud environment: Admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.
User training is going to be another big issue: End-users are going to have to be trained to check certificate issue dates, to make sure their trusted services (like the bank) have re-issued their certificates.
Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t undergo updates.
Thursday, April 10, 2014 @ 06:04 PM gHale
There is a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication, according to a report in ICS-CERT.
The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker, the report said.
This vulnerability is called “heartbleed.” This vulnerability discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security ended up reported to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.
ICS-CERT issued an alert as an early notice of the report and identify baseline mitigations for reducing risks to this and other cybersecurity attacks.
For details, click on this US-CERT Vulnerability Note.
Click here for the heartbleed public report.
As OpenSSL may see use as a third-party component, asset owners, operators, and SCADA software developers should investigate the use of the affected versions of OpenSSL in their environments.
OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates.
Thursday, April 3, 2014 @ 03:04 PM gHale
A serious vulnerability that eBay fixed had the potential to allow bad guys to steal from ProStores shops and swipe customer credit cards, a researcher said.
This vulnerability in eBay-owned ProStores not only opened the door to store account hijackers, but also leaked “full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text,” said Mark Litchfield, a security researcher at Securatary, who also found the defect.
ProStores hosts online shops for eBay sellers to use to sell merchandise, and provides a wizard for creating the traders’ websites.
“Like the gostorego vulnerability (also eBay), we could shop for free by giving ourselves store credit or gift cards or created our own orders for free,” Litchfield said.
After he reported the bug in February, the company fixed the problem, clearing the way for Litchfield to go public.
In order to gain control of a victim’s eBay ProStores site, the attacker must create her own ProStores account, which is not difficult, and then use that as a springboard to infiltrate the victim’s web bazaar, Litchfield said.
“In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store,” Litchfied said. “With this attack I guess I was more shocked than anything to find the credit card information being displayed back in clear text. If people are buying things online, why would the full card information need to return in clear text to the administrator?”
ProStores targets small to medium businesses, and eBay bought it in 2005. The store offers inventory management, supplier communication and integration with Quickbooks, Dreamweaver and other tools. Litchfield also said there was a XML external entity vulnerability in ProStores.
Securatary said it had reported the problem to eBay on February 11 and they fixed it March 20.
Wednesday, April 2, 2014 @ 08:04 AM gHale
A WinRAR vulnerability is part of a malware campaign targeting government and international organizations, as well as Fortune Global 500 companies.
WWinRAR is a Windows data compression tool that focuses on the RAR and ZIP data compression formats for Windows users.
This vulnerability creates a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether, said Israeli security researcher, Danor Cohen.
From an attacker’s standpoint, they can effectively compress a Trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target ends of compromised.
Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers found it can end up exploited on all versions of WinRAR, including version 5.1.
The exploit is possible because WinRAR will compress a file and create new properties, including an extra ‘file name’ input. By altering one of the ‘file name’ inputs, the ZIP will say it contains something different from what is actually inside.
IntelCrawler found starting March 24 attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” targeting aerospace companies, military subcontractors, embassies, and firms on the Fortune Global 500 list.
In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘FAX.zip’ – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.
Researchers analyzed the attachment and determined it was a Zeus-like Trojan capable of establishing remote administration channels with the infected victim, and gathering passwords and saved forms, according to the research.
Tuesday, March 25, 2014 @ 06:03 PM gHale
An app exploiting an Android vulnerability triggers the continuous rebooting of a device.
Ibrahim Balic, the creator of the Proof-of-Concept (PoC) that exploits the vulnerability said it can end up exploited via apps that have been equipped with an extremely long value (387,000 characters+ characters) inserted into the “appname” field in strings.xml.
Trend Micro researchers said the flaw exists by saying, “our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.”
“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.
“An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”
The flaw apparently affects mobile devices with Android OS versions 4.0 and above.
Tuesday, February 18, 2014 @ 03:02 PM gHale
Proof-of-concept exploit code is available for a vulnerability that allows attackers to launch denial-of-service (DoS) attacks against websites hosted on Apache Tomcat servers.
Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.
The new DoS vulnerability is in the Apache Commons FileUpload, a stand-alone library developers can use to add file upload capability to their Java Web-based applications. This library is in Apache Tomcat versions 7 and 8 in by default in order to support the processing of mime-multipart requests.
The multipart content type also comes into play when an HTTP request needs to include different sets of data in its body. The different data sets end up separated by an encapsulation boundary — a string of text defined in the request headers to serve as the boundary.
Requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop, said security researchers from Trustwave. As a result, the Tomcat process will end up using all available CPU resources until it stops.
The vulnerability, tracked as CVE-2014-0050, ended up reported responsibly to the Apache Software Foundation Feb. 4, but accidentally made it out to the public two days later because of an error in addressing an internal email. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.
Since then, officials fixed the vulnerability in Commons FileUpload version 1.3.1 that released on Feb. 7 and a beta version of Tomcat 8.0.3 released last Tuesday. It also should come out in Apache Tomcat 7.0.51, but this version of the server has yet to release.
According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. “While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators,” Apache said in its advisory.
Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need manual application.
Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications — for example “request.getPart” or “request.getParts” methods — are vulnerable, said Oren Hafif, a security researcher at Trustwave, in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.
The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.
Thursday, February 13, 2014 @ 04:02 AM gHale
Facebook fixed an Instagram cross-site reference forgery (CSRF) first reported 22 August.
Freelance security researcher Christian Lopez Martin first found the vulnerability, which allowed access to users’ photos and information by making their private profiles public.
The service’s lack of a mechanism to prevent CSRF attacks allowed Martin to create a simple CSRF exploit. Facebook deployed a fix on 6 September 2013, but Martin found a way to bypass that too. After yet another ineffective fix, a final patch fixed the problem 4 February 2014.
Click here for more information.
Wednesday, February 12, 2014 @ 11:02 PM gHale
MatrikonOPC created a patch that mitigates the improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application, according to a report on ICS-CERT.
Researchers Adam Crain of Automatak and independent researcher Chris Sistrunk, who discovered the vulnerability, tested the patch to validate it resolves the remotely exploitable vulnerability.
MatrikonOPC SCADA DNP3 OPC Server versions older than Version 184.108.40.206 suffer from the issue.
An attacker could potentially use this vulnerability to craft an exploit to cause a denial-of-service (DoS) loop in the MatrikonOPC Server for DNP3 Windows service. This requires a reboot of the system to restart DNP3 communications. After the service falls into the DoS condition, the configuration tool experiences a read access violation.
MatrikonOPC is an Edmonton, Canada-based company that maintains offices in several countries around the world, including the United States, Canada, Germany, Russia, Australia, Singapore, Norway, Brazil, UK, India, Spain, Portugal, and Costa Rica.
The affected product, SCADA DNP3 OPC Server, is Microsoft Windows-based software that facilitates connectivity to multiple DNP3 compliant devices such as remote terminal units, programmable logic circuits, and meters. The SCADA DNP3 OPC Server deploys across several sectors including chemical and energy. MatrikonOPC products are used primarily in the US, Canada, and UK, according to MatrikonOPC.
The susceptible versions of MatrikonOPC contain a specific vulnerability that may cause the server to exit and communications to stop. This only happens after the server (master station) successfully connects to a device (outstation) that returns a malformed DNP3 packet. The process never recovers and cannot shut down. The Windows operating system on the master station would have to reboot to reestablish communications. After the service falls into a DoS condition, the configuration tool experiences a read access violation on further reboots.
CVE-2013-2829 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.
MatrikonOPC recommends customers obtain and install the patch.
Click on the Product Advisory section, and read the posted security notification.
Contact OPC Support to obtain the new version of the OPC server for DNP3. Install the new version of the OPC Server for DNP3.
The researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.