Posts Tagged ‘vulnerability’
Wednesday, May 22, 2013 @ 07:05 PM gHale
3S created an update for a denial-of-service (DoS) vulnerability in its CODESYS Gateway application, according to a report on ICS-CERT.
Successful exploitation of this remotely exploitable vulnerability, discovered by Nicholas Miles who has tested the update and validates that it resolves the vulnerability, could cause a DoS condition and may also allow the possibility of remote execution of arbitrary code.
The Gateway-Server is a third-party component found in multiple control systems manufacturer’s products.
CODESYS Gateway, Version 18.104.22.168 suffers from this issue.
This product also sees use in products sold by other vendors. Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.
If exploited, an attacker could use this vulnerability to remotely cause a DoS with a system crash within the Gateway server application. Remote execution of arbitrary code may also be possible.
According to the 3S-Smart Software Solutions GmbH Web site, CODESYS sees use in virtually all sectors of the automation industry by manufacturers of industrial controllers or intelligent automation devices, by end users in many different industries, or by system integrators who offer automation solutions with CODESYS.
This vulnerability affects products primarily found in the energy, critical manufacturing, and industrial automation industries.
The vulnerability is the result of a referencing memory previously freed by the process. This condition commonly causes a system crash and may also present the possibility for execution of arbitrary code.
CVE-2013-81733 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
No known public exploits specifically target this vulnerability, but an attacker with a low skill would be able to exploit this vulnerability.
3S produced a patch available for download from the 3S CODESYS Download page.
Monday, May 20, 2013 @ 06:05 PM gHale
An exploit released that proves that normal, logged-in users can gain root access to the Linux kernel via an incorrectly fixed declared pointer.
It all started back in April, when Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. The problem is, in their rush to fix the issue, they apparently overlooked the potential security implications of the bug, since fact it is possible to gain access to almost any memory area using a suitable event_id.
After realizing the problem, the developers declared the bug as an official security hole (CVE-2013-2094) after the exploit released that proves that normal, logged-in users can gain root access this way.
The bug affects any kernel version between 2.6.37 and 3.8.9 compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions suffer from the issue will soon become clear when the relevant security updates release. Linux security expert Brad Spengler released a detailed exploit analysis.
Meanwhile, the Ubuntu Security Team closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to undergo recompiling and reinstallation. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.
Red Hat said Red Hat Enterprise Linux (RHEL) 4 and 5 do not suffer from the problem. RHEL 6 and Red Hat Enterprise MRG 2, however, do and until the company releases updates that fix the issue, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.
The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should have an update in the main distribution repository soon.
Monday, May 20, 2013 @ 04:05 PM gHale
TURCK produced an updated firmware version for the vulnerabilities in the BL20 and BL67 Programmable Gateways, according to a report on ICS-CERT.
Exploitation of this vulnerability, discovered by Researcher Rubén Santamarta of IOActive, would allow an attacker to have remote administrative access to the device. This vulnerability affects programmable gateways deployed in the agriculture and food, automotive, and critical manufacturing sectors.
The firmware update mitigates the remotely exploitable vulnerability by removing the hard-coded accounts accessible by the FTP service.
The following TURCK products suffer from the issue:
• BL20 Programmable Gateway, all versions, and
• BL67 Programmable Gateway, all versions.
This vulnerability allows an attacker to remotely access the device by using hard-coded credentials. After gaining administrative access, the attacker can create false communication between remote I/Os, PLCs, or DCS systems. Those false communications could cause adverse actions within the control system, possibly including process shutdown.
TURCK is a German-based company that maintains offices in 25 countries around the world, including parts of Europe, South America, Asia, the UK, and U.S.
The affected products, BL20 and BL67 Programmable Gateways, provide communication between the communications bus and I/O modules. According to TURCK, the BL20 and BL67 work across several sectors including agriculture and food, automotive, and critical manufacturing. TURCK said the primary regions were the products see use is in the United States and Europe with a small percentage in Asia.
The BL20 and BL67 Programmable Gateways contain hard-coded credentials. An attacker can logon to the device through Port 21/TCP through the FTP service to obtain administrative access. This could allow the attacker to impact availability, integrity, and confidentiality.
CVE-2012-4697 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
While no known public exploits specifically target this vulnerability, an attacker with a low skill would be able to exploit this vulnerability.
The firmware updates can be downloaded from the TURCK BL20 and BL67 download sites:
Friday, May 10, 2013 @ 04:05 PM gHale
Adobe is working on a patch for a critical vulnerability in its ColdFusion Web application server that bad guys are using in attacks right now.
The vulnerability affects several versions of ColdFusion running on Windows, Unix and OS X.
The flaw, which Adobe plans to patch on May 14, can fall into the hands of a remote attacker to retrieve files from affected servers. There is a public exploit available for the vulnerability, making the patch a high priority for enterprises running ColdFusion.
“There are reports that an exploit for this vulnerability is publicly available. ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” Adobe said in its advisory.
The company recommends customers running vulnerable versions of ColdFusion, which include 10, 9, 9.02 and 9.01, follow the recommendations in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide to help install mitigations that will prevent exploitation of this vulnerability.
Monday, May 6, 2013 @ 12:05 PM gHale
A Zero Day vulnerability in Internet Explorer 8 was the hole attackers took advantage of when they hacked into the Department of Labor (DoL) and, as it turns out, quite a few other sites.
Microsoft confirmed the existence of the vulnerability saying it only affected IE8 on Windows XP and possibly IE8 on Windows 7. IE 6, 7, 9 and 10 do not suffer from the issue, and users should upgrade to one of the last two versions until the company patches the flaw.
Those who don’t can mitigate it by setting Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, and by configuring IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
This watering hole attack became much larger as researchers said as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations also suffered compromise and are redirecting visitors to a website hosting malware.
“The list of affected sites includes several non-profit groups and institutes as well as a big European company that plays on the aerospace, defense and security markets,” said researchers at AlienVault, and added the server serving the malicious payloads links to previous attacks by a Chinese cyber espionage group called “DeepPanda.”
Researchers originally thought the malware was exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.
Microsoft confirmed in its advisory this is a remote code execution vulnerability, and IE does not properly handle deleted objects in memory or not properly allocated. Microsoft suggests users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to “high” to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.
The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, said researchers at security firm, Invincea, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user ends up redirected, a file executes, ports open and registry changes end up made to maintain persistence on the machine.
Monday, April 29, 2013 @ 04:04 PM gHale
A popular messaging application for the Android mobile platform similar to Skype, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, researchers said.
There have been between 50 and 100 million installations of Viber on the Google Play store, said researchers at Bkav Corporation, a California security company. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.
The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.
“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.
The exploit is relatively simple, Bkav researchers said. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.
Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.
A similar vulnerability was in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.
In February, two iPhone screen lock bypass flaws ended up discovered, one in the iOS 6.1 kernel that enabled access to contacts and other data, and another also in the emergency call feature.
Tuesday, April 23, 2013 @ 07:04 PM gHale
A new patch just came out for Java and researchers have already identified a vulnerability affecting the latest version of the software.
Polish firm Security Explorations discovered a Reflection API issue, called “Issue 61,” that plagues all variants of Java 7, including Update 21.
The newly found bug impacts not only the JRE plugin, but the just unveiled Server JRE as well, said Adam Gowdiak, chief executive and founder of Security Explorations.
“[The vulnerability] can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak said.
It’s also worth noting this is a completely new security hole that doesn’t rely on any previously unpatched flaws.
A vulnerability report and a proof of concept went out to Oracle. Gowdiak said the company hasn’t confirmed the issue, but he believes it shouldn’t take more than a day, considering that the reproduction of the flaw consists of simply running a Java code in a web browser.
“In Apr 2012, we reported our first vulnerability report to Oracle corporation signaling multiple security problems in Java SE 7 and the Reflection API in particular. It’s been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities,” Gowdiak said.
“It looks like Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ classes space. If so, no surprise that Issue 61 was overlooked.”