Posts Tagged ‘vulnerability’
Tuesday, February 18, 2014 @ 03:02 PM gHale
Proof-of-concept exploit code is available for a vulnerability that allows attackers to launch denial-of-service (DoS) attacks against websites hosted on Apache Tomcat servers.
Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.
The new DoS vulnerability is in the Apache Commons FileUpload, a stand-alone library developers can use to add file upload capability to their Java Web-based applications. This library is in Apache Tomcat versions 7 and 8 in by default in order to support the processing of mime-multipart requests.
The multipart content type also comes into play when an HTTP request needs to include different sets of data in its body. The different data sets end up separated by an encapsulation boundary — a string of text defined in the request headers to serve as the boundary.
Requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop, said security researchers from Trustwave. As a result, the Tomcat process will end up using all available CPU resources until it stops.
The vulnerability, tracked as CVE-2014-0050, ended up reported responsibly to the Apache Software Foundation Feb. 4, but accidentally made it out to the public two days later because of an error in addressing an internal email. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.
Since then, officials fixed the vulnerability in Commons FileUpload version 1.3.1 that released on Feb. 7 and a beta version of Tomcat 8.0.3 released last Tuesday. It also should come out in Apache Tomcat 7.0.51, but this version of the server has yet to release.
According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. “While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators,” Apache said in its advisory.
Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need manual application.
Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications — for example “request.getPart” or “request.getParts” methods — are vulnerable, said Oren Hafif, a security researcher at Trustwave, in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.
The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.
Thursday, February 13, 2014 @ 04:02 AM gHale
Facebook fixed an Instagram cross-site reference forgery (CSRF) first reported 22 August.
Freelance security researcher Christian Lopez Martin first found the vulnerability, which allowed access to users’ photos and information by making their private profiles public.
The service’s lack of a mechanism to prevent CSRF attacks allowed Martin to create a simple CSRF exploit. Facebook deployed a fix on 6 September 2013, but Martin found a way to bypass that too. After yet another ineffective fix, a final patch fixed the problem 4 February 2014.
Click here for more information.
Wednesday, February 12, 2014 @ 11:02 PM gHale
MatrikonOPC created a patch that mitigates the improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application, according to a report on ICS-CERT.
Researchers Adam Crain of Automatak and independent researcher Chris Sistrunk, who discovered the vulnerability, tested the patch to validate it resolves the remotely exploitable vulnerability.
MatrikonOPC SCADA DNP3 OPC Server versions older than Version 184.108.40.206 suffer from the issue.
An attacker could potentially use this vulnerability to craft an exploit to cause a denial-of-service (DoS) loop in the MatrikonOPC Server for DNP3 Windows service. This requires a reboot of the system to restart DNP3 communications. After the service falls into the DoS condition, the configuration tool experiences a read access violation.
MatrikonOPC is an Edmonton, Canada-based company that maintains offices in several countries around the world, including the United States, Canada, Germany, Russia, Australia, Singapore, Norway, Brazil, UK, India, Spain, Portugal, and Costa Rica.
The affected product, SCADA DNP3 OPC Server, is Microsoft Windows-based software that facilitates connectivity to multiple DNP3 compliant devices such as remote terminal units, programmable logic circuits, and meters. The SCADA DNP3 OPC Server deploys across several sectors including chemical and energy. MatrikonOPC products are used primarily in the US, Canada, and UK, according to MatrikonOPC.
The susceptible versions of MatrikonOPC contain a specific vulnerability that may cause the server to exit and communications to stop. This only happens after the server (master station) successfully connects to a device (outstation) that returns a malformed DNP3 packet. The process never recovers and cannot shut down. The Windows operating system on the master station would have to reboot to reestablish communications. After the service falls into a DoS condition, the configuration tool experiences a read access violation on further reboots.
CVE-2013-2829 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.
MatrikonOPC recommends customers obtain and install the patch.
Click on the Product Advisory section, and read the posted security notification.
Contact OPC Support to obtain the new version of the OPC server for DNP3. Install the new version of the OPC Server for DNP3.
The researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.
Thursday, December 19, 2013 @ 04:12 PM gHale
The series of DNP3 vulnerabilities continues with Lenexa, KS-based NovaTech creating a firmware update that mitigates an improper input validation vulnerability in its Orion Substation Automation Platform, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the firmware update to validate that it resolves the remotely exploitable vulnerability.
The following Orion versions suffer from the issue:
• OrionLX DNP Master v1.27.38 and DNP Slave V1.23.10 and earlier (included in firmware releases 7.6 and earlier), and
• Orion5/Orion5r DNP Master V1.27.38 and DNP Slave V1.23.10 and earlier.
By sending a specially crafted command from either Internet Protocol (IP) or serial connection, the command causes the Orion Process to restart. This applies to the IP Master/Client and the serial Slave/Server implementation.
The Orion Substation Automation Platform, is a SCADA RTU system using the DNP3 protocol. According to NovaTech, the Orion deploys across several sectors, but primarily in energy in the United States.
As this vulnerability affects Internet protocol-connected and serial-connected devices, there are two CVSS scores.
The NovaTech Orion DNP Products Master Driver does not validate input correctly. A specially crafted IP-based packet can cause the Orion Process in the OrionLX to restart. The sequence of effects caused by this packet is the running DNP driver crashes, the Alarm LED/contact asserts, and the Orion process restarts.
The following scoring is for IP-connected devices: CVE-2013-2821 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
A specially crafted packet can go out via serial connection that causes the Orion Process in the OrionLX to restart. The sequence of effects caused by this packet is the running DNP driver crashes, the Alarm LED/contact asserts, and the Orion process restarts.
The following scoring is for serial-connected devices. CVE-2013-2822 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
While the IP-based vulnerability could suffer remotely, the serial-based vulnerability cannot. There must be local access to the serial-connected outstation.
While no known public exploits specifically target this vulnerability, an attacker with a moderate skill level could craft an IP packet that could exploit the vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because there must either be physical access to the device or some amount of social engineering.
NovaTech has produced a firmware update that is available for download from the NovaTech Orion Support Site (to gain access, the user must register).
The researchers suggest the following mitigations: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.
Tuesday, December 3, 2013 @ 03:12 PM gHale
Targeted attacks are already occurring on a new Zero Day vulnerability affecting Windows XP and Windows Server 2003, Microsoft officials said.
Just prior to November 28, Microsoft issued an advisory about the bug (CVE-2013-5065), which lies in the kernel component of Windows XP and Windows Server 2003.
Exploitation could allow an elevation of privilege that gives an attacker the ability to execute code in kernel mode, then go on to “install programs; view, change or delete data; or create new accounts with full administrative rights,” the advisory said.
An attacker would still need login credentials to logon locally to exploit the vulnerability, Microsoft said.
Attacks were occurring where the kernel vulnerability ended up used in conjunction with an Adobe Reader exploit, said FireEye researchers Xiaobo Chen and Dan Caselden in a blog post.
Those running the latest versions of Adobe Reader, however, aren’t vulnerable to the exploit, which targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and earlier versions on Windows XP Service Pack 3, FireEye said.
Over the weekend, Symantec also said a “small number” of in-the-wild attacks have occurred since early November, where attackers used malicious PDFs as an attack vector. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were the targets.
In those attacks, attackers exploiting the Windows Zero Day dropped a Trojan called “Wipbot” onto victims’ systems, Symantec found. Wipbot steals system information, which then ends up shared with attackers via their control hub.
So far, Microsoft has yet to issue a fix for the vulnerability, but Dustin Childs, a spokesman for Microsoft’s Trustworthy Computing team, said in a blog post last Wednesday users could deploy a workaround for the issue by configuring the NDProxy driver.
The NDProxy driver helps users manage Microsoft’s Telephony Application Programming Interface (TAPI) for integrated computer-telephone services.
Wednesday, November 27, 2013 @ 11:11 AM gHale
There were 700,000 new Android malware samples spotted in the third quarter with attacks against this platform having increased by over 30 percent, a new report said.
Part of the 30 percent increase is due to the discovery of the Android vulnerability that attackers can exploit to create malware that’s capable of bypassing digital signature validation, according to the McAfee third quarter 2013 threat report. Bad guys already started leveraging the flaw with a new family McAfee calls Exploit/MasterKey.A.
“The efforts to bypass code validation on mobile devices, and commandeer it altogether on PCs, both represent attempts to circumvent trust mechanisms upon which our digital ecosystems rely,” said Vincent Weafer, senior vice president of McAfee Labs.
“The industry must work harder to ensure the integrity of this digital trust infrastructure given these technologies are becoming even more pervasive in every aspect of our daily lives.”
In order to make their malware attacks more efficient, cybercriminals are turning more and more to digitally signed malware. In fact, the number of digitally signed malware samples increased by 50 percent, to over 1.5 million new samples.
When it comes to virtual currencies, experts said illegal activities end up facilitated by the emergence of new currencies that allow cybercriminals not only to make transactions, but also to launder their proceeds.
Furthermore, as Bitcoin becomes more popular and more valuable, cybercriminals are turning more and more to the use of Bitcoin-mining malware.
The threat report also showed the global volume of spam increased by 125 percent.
The basis of the study comes from information from 500 multidisciplinary researchers spread out across 30 countries. The complete “McAfee Labs Threats Report: Third Quarter 2013” is available on the company’s website.
Tuesday, October 22, 2013 @ 03:10 PM gHale
There is an update to the Alstom e-terracontrol software vulnerability where the company created a patch that mitigates improper input validation vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
The master can end up in an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the user connects the device via a serial connection, the same attack can occur with physical access to the master station. The device must then shut down and restart to reset the loop state.
Alstom is a France-based company that maintains offices worldwide.
The affected product, Alstom e-terracontrol software, sees use in SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software sees deployment across the electric energy sector. Alstom estimated these products see use mainly in the U.S. and Europe with a small percentage in Asia.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must restart manually.
The following scoring is for IP-connected devices: CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restart manually.
The following scoring is for serial-connected devices: CVE- 2013-2818 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
The IP-based vulnerability could end up exploited remotely, but the serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because there must be physical access to the device or some amount of social engineering.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal. Users should contact their Alstom representative for download information.
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.