Posts Tagged ‘vulnerability’
Thursday, January 15, 2015 @ 06:01 PM gHale
Google released details of a new privilege escalation vulnerability in Windows just as Microsoft was getting ready to send out a patch.
The issue is the vulnerability first came to Microsoft’s attention over 90 days ago and Google’s Project Zero automatically released the details when the Redmond software giant did not release a patch within the 90-day disclosure deadline.
“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so),” Google said in its report. “In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced.”
“However, there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” Google said.
A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 published, but researchers said the vulnerability also affects Windows 7.
In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, Google told Microsoft the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.
In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.
Friday, August 22, 2014 @ 04:08 PM gHale
One thousand of the most popular free Android apps from Google Play have a vulnerability that can cause a man-in-the-middle (MitM) attack, researchers said.
These apps have an SSL/TLS vulnerability that an attacker can leverage to his or her advantage, said researchers at FireEye Mobile Security Team. They looked to see how many apps communicate with their servers via secure network protocols, and whether the apps that do have a correct implementation of the Android platform’s SSL libraries.
The researches asked some of the tough questions: “Do they use trust managers that check certificate chains from remote servers? Does the hostname of the server extracted from the CA-issued certificate match the hostname of the server the application intends to connect to? Do the apps ignore SSL errors in WebKit (a component that renders server pages in mobile applications)?”
The results showed of the 1,000 tested apps, 614 applications use SSL/TLS, but 448 (around 73 percent of that 614) do not check certificates, 50 ( around 8 percent) use their own hostname verifiers that do not check hostnames, and of the 285 that use Webkit, 219 (around 77 percent) ignore SSL errors generated in it.
The numbers were a bit different when the researchers analyzed the top 10,000 most popular apps, but nevertheless bad.
“Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality,” the FireEye researchers said.
The team tested their findings by creating proof of concept MitM attacks against several of these popular apps and ad libraries they use, and found some sported SSL vulnerabilities in both. Most of these apps ended up downloaded several hundreds of times.
Click here for more details.
Friday, May 16, 2014 @ 04:05 PM gHale
Siemens reported to ICS-CERT an incorrect certificate verification in RuggedCom ROX based devices.
Siemens is working on a firmware update for the remotely exploitable vulnerability.
The following Siemens RuggedCom ROX-based devices suffer from the issue:
• ROX version 1.16, and
• ROX version 2.2 through 2.5
In RuggedCom ROX-based devices, GnuTLS sees use for client certificate verification. Because GnuTLS is vulnerable to an incorrect error handling issue within this function, an attacker would be able to perform man-in-the-middle attacks.
Munich-Germany-based Siemens has offices all over the world. It develops products mainly in the energy, healthcare and public health sectors, and transportation systems.
The affected products, RuggedCom switches and serial-to-Ethernet devices, connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.
ROX-based Ruggedcom devices use GnuTLS libraries to enable secure communication. GnuTLS suffers from incorrect error handling in certificate verification, which could allow man in-the-middle attacks, and this may affect multiple services in these devices.
The following client-side services use GnuTLS libraries:
• Secure Syslog (only affects ROX Version 1.16)
• Software upgrades with HTTPS-based connections. Nonsecure connections do not have the issue. (Only affects ROX Versions 2.4 and 2.5)
• FTPS (only affects ROX versions from v2.2 through v2.5 inclusive)
CVE-2014-0092 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
Siemens is working on a firmware update to resolve this vulnerability. In the mean time, Siemens recommends using alternate services (e.g., SFTP) to secure communication. In cases where these alternative services are not viable, Siemens recommends ensuring data transfers only over trusted networks.
Siemens recommends the following for the affected services:
• Secure Syslog: Siemens recommends placing the syslog server inside the trusted network boundary until a corrected update is available.
• Software upgrade: When updating devices running the affected ROX versions, the identity of the update server is not verifiable. Siemens recommends placing the upgrade server inside the trusted network boundary.
• FTPS: Siemens recommends using SFTP for data transfer until a corrected update is available.
For more information, click on Siemens advisory SSA-839231.
Tuesday, April 29, 2014 @ 05:04 PM gHale
It appears a vulnerability in Sohu.com, a video content provider, ended up leveraged by attackers this month to launch large-scale distributed denial of service (DDoS) attacks, researchers said.
Sohu, which translates as “search fox,” is China’s eighth largest web site. It provides online media, gaming, search, community and mobile services. While Sohu is not popular among users in the West, it’s currently number 27 of the most visited website in the world.
The attackers found a cross-site scripting (XSS) vulnerability in Sohu.TV, the company’s video streaming service, said researchers at Incapsula. Sohu officials patched the hole after Incapsula notified them.
“Once we uncovered the source of the browser-based DDoS attack and replicated persistent XSS vulnerability that allowed it to occur we immediately went on to share our findings with Sohu security team,” Incapsula researchers said.
“With this information in hand Sohu team could quickly evaluate the problem and respond with a rapid patch which fixed the security hole, rendering this browser-based botnet completely useless,” the researchers said.
Incapsula discovered the attack technique after one of their customers suffered a DDoS attack involving 20 million GET requests coming from more than 22,000 web browsers.
The profiles in question were able to post comments on popular videos. Each time one of these videos loaded, the malicious code embedded inside the profile image executed, launching a DDoS attack against the designated target.
The GET requests went out at a rate of one per second. With some videos up to 30 minutes long, and a large number of users were viewing the same video at any given time, it was enough to disrupt a website that didn’t use any DDoS protection.
Monday, April 28, 2014 @ 06:04 PM gHale
There is a Zero Day vulnerability in all versions of Internet Explorer seeing use in “limited, targeted attacks,” Microsoft officials said.
They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.
All versions of Internet Explorer from 6 through 11 are vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on where IE runs in the default Enhanced Security Configuration are not vulnerable unless an affected site ends up placed in the Internet Explorer Trusted sites zone.
FireEye, which discovered the issue, said while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a “use after free” attack in which memory objects in the browser end up manipulated after release. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
The specific exploit uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui, the FireEye researchers said.
EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.
FireEye Research Labs identified the IE Zero Day. This Zero Day bypasses ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye researchers said on a blog. “However, for many reasons, we will not provide campaign details. But we believe this is a significant Zero Day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”
According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:
• IE 9: 13.9 percent
• IE 10: 11.04 percent
• IE 11: 1.32 percent
Collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” the researchers said on their blog.
“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.”
Wednesday, April 23, 2014 @ 07:04 PM gHale
Oracle issued an advisory listing security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact.
“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle said in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”
The Heartbleed bug potentially allows an attacker to steal data from the memory of a device or system running the flawed OpenSSL software and compromise the encryption protecting communications between it and other devices.
Products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier.
Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.
There are other products considered likely to be vulnerable but have no fixes, such as Java ME — JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are potentially vulnerable but are still under investigation.
“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”
“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle said. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”
Wednesday, April 16, 2014 @ 10:04 AM gHale
Innominate released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products, according to a report on ICS-CERT.
This vulnerability, discovered by researcher Bob Radvanovsky of Infracritical, could end up exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.
mGuard firmware Versions 8.0.0 and 8.0.1 suffer from the issue.
mGuard firmware Versions 8.0.0 and 8.0.1 use the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the HeartBleed vulnerability.
Innominate is a Germany-based company that sells products worldwide through its international partners.
The affected products, the mGuard family of products, are industrial security routers. They are in critical infrastructure sectors, including communications, healthcare and public health, and critical manufacturing.
Because of the unpredictable memory layout of HTTPS communication, it is possible the private key of the mGuard web graphic user interface could end up disclosed. An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
All users of the affected mGuard firmware Versions 8.0.0 and 8.0.1 should upgrade to mGuard firmware Version 8.0.2. Innominate recommends users update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.
For more information regarding this vulnerability and specific instructions on how to install the latest firmware version, click on the Innominate Security Advisory.
Monday, April 14, 2014 @ 07:04 PM gHale
While most of the buzz surrounding OpenSSL’s Heartbleed vulnerability focused on websites and other servers, the SANS Institute said software running on PCs, tablets and more is just as vulnerable.
SANS Institute analyst Jake Williams said black hats knew about the data-leaking bug well before its public discovery and disclosure.
Williams – aka MalwareJake – said vulnerable OpenSSL installations on the client side can undergo attacks from malicious servers to extract passwords and cryptographic keys from users’ computers and gadgets, according to a report in The Register.
Williams said a dodgy server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve up to 64KB of highly sensitive data from the targeted system at a time. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, he said.
Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.
Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said, and noted that it’s going to be hard to identify vulnerabilities in some environments. For example, he said, it’s going to be hard to tell if Windows client programs compiled against vulnerable OpenSSL versions.
And that’s not to mention all the “non-port-443″ software that might end up compiled to vulnerable versions of OpenSSL — email servers, databases, LDAP services, and so on.
Williams also said the risk the vulnerability could reveal site certificates means if an attacker has previously recorded encrypted sessions, he or she will now be able to decrypt that traffic.
Worse, he said it’s also feasible what turns up in the leaked memory could give attackers hints at how to take the axe to other software, turning known bugs currently seen as “hard to exploit” into easy kills.
Another issue easily overlooked, he said, is in the cloud. If you’re running VMs in a cloud environment: Admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.
User training is going to be another big issue: End-users are going to have to be trained to check certificate issue dates, to make sure their trusted services (like the bank) have re-issued their certificates.
Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t undergo updates.