Posts Tagged ‘vulnerability’
Friday, May 16, 2014 @ 04:05 PM gHale
Siemens reported to ICS-CERT an incorrect certificate verification in RuggedCom ROX based devices.
Siemens is working on a firmware update for the remotely exploitable vulnerability.
The following Siemens RuggedCom ROX-based devices suffer from the issue:
• ROX version 1.16, and
• ROX version 2.2 through 2.5
In RuggedCom ROX-based devices, GnuTLS sees use for client certificate verification. Because GnuTLS is vulnerable to an incorrect error handling issue within this function, an attacker would be able to perform man-in-the-middle attacks.
Munich-Germany-based Siemens has offices all over the world. It develops products mainly in the energy, healthcare and public health sectors, and transportation systems.
The affected products, RuggedCom switches and serial-to-Ethernet devices, connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.
ROX-based Ruggedcom devices use GnuTLS libraries to enable secure communication. GnuTLS suffers from incorrect error handling in certificate verification, which could allow man in-the-middle attacks, and this may affect multiple services in these devices.
The following client-side services use GnuTLS libraries:
• Secure Syslog (only affects ROX Version 1.16)
• Software upgrades with HTTPS-based connections. Nonsecure connections do not have the issue. (Only affects ROX Versions 2.4 and 2.5)
• FTPS (only affects ROX versions from v2.2 through v2.5 inclusive)
CVE-2014-0092 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
Siemens is working on a firmware update to resolve this vulnerability. In the mean time, Siemens recommends using alternate services (e.g., SFTP) to secure communication. In cases where these alternative services are not viable, Siemens recommends ensuring data transfers only over trusted networks.
Siemens recommends the following for the affected services:
• Secure Syslog: Siemens recommends placing the syslog server inside the trusted network boundary until a corrected update is available.
• Software upgrade: When updating devices running the affected ROX versions, the identity of the update server is not verifiable. Siemens recommends placing the upgrade server inside the trusted network boundary.
• FTPS: Siemens recommends using SFTP for data transfer until a corrected update is available.
For more information, click on Siemens advisory SSA-839231.
Tuesday, April 29, 2014 @ 05:04 PM gHale
It appears a vulnerability in Sohu.com, a video content provider, ended up leveraged by attackers this month to launch large-scale distributed denial of service (DDoS) attacks, researchers said.
Sohu, which translates as “search fox,” is China’s eighth largest web site. It provides online media, gaming, search, community and mobile services. While Sohu is not popular among users in the West, it’s currently number 27 of the most visited website in the world.
The attackers found a cross-site scripting (XSS) vulnerability in Sohu.TV, the company’s video streaming service, said researchers at Incapsula. Sohu officials patched the hole after Incapsula notified them.
“Once we uncovered the source of the browser-based DDoS attack and replicated persistent XSS vulnerability that allowed it to occur we immediately went on to share our findings with Sohu security team,” Incapsula researchers said.
“With this information in hand Sohu team could quickly evaluate the problem and respond with a rapid patch which fixed the security hole, rendering this browser-based botnet completely useless,” the researchers said.
Incapsula discovered the attack technique after one of their customers suffered a DDoS attack involving 20 million GET requests coming from more than 22,000 web browsers.
The profiles in question were able to post comments on popular videos. Each time one of these videos loaded, the malicious code embedded inside the profile image executed, launching a DDoS attack against the designated target.
The GET requests went out at a rate of one per second. With some videos up to 30 minutes long, and a large number of users were viewing the same video at any given time, it was enough to disrupt a website that didn’t use any DDoS protection.
Monday, April 28, 2014 @ 06:04 PM gHale
There is a Zero Day vulnerability in all versions of Internet Explorer seeing use in “limited, targeted attacks,” Microsoft officials said.
They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.
All versions of Internet Explorer from 6 through 11 are vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on where IE runs in the default Enhanced Security Configuration are not vulnerable unless an affected site ends up placed in the Internet Explorer Trusted sites zone.
FireEye, which discovered the issue, said while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a “use after free” attack in which memory objects in the browser end up manipulated after release. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
The specific exploit uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui, the FireEye researchers said.
EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.
FireEye Research Labs identified the IE Zero Day. This Zero Day bypasses ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye researchers said on a blog. “However, for many reasons, we will not provide campaign details. But we believe this is a significant Zero Day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”
According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:
• IE 9: 13.9 percent
• IE 10: 11.04 percent
• IE 11: 1.32 percent
Collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” the researchers said on their blog.
“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.”
Wednesday, April 23, 2014 @ 07:04 PM gHale
Oracle issued an advisory listing security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact.
“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle said in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”
The Heartbleed bug potentially allows an attacker to steal data from the memory of a device or system running the flawed OpenSSL software and compromise the encryption protecting communications between it and other devices.
Products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier.
Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.
There are other products considered likely to be vulnerable but have no fixes, such as Java ME — JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are potentially vulnerable but are still under investigation.
“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”
“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle said. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”
Wednesday, April 16, 2014 @ 10:04 AM gHale
Innominate released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products, according to a report on ICS-CERT.
This vulnerability, discovered by researcher Bob Radvanovsky of Infracritical, could end up exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.
mGuard firmware Versions 8.0.0 and 8.0.1 suffer from the issue.
mGuard firmware Versions 8.0.0 and 8.0.1 use the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the HeartBleed vulnerability.
Innominate is a Germany-based company that sells products worldwide through its international partners.
The affected products, the mGuard family of products, are industrial security routers. They are in critical infrastructure sectors, including communications, healthcare and public health, and critical manufacturing.
Because of the unpredictable memory layout of HTTPS communication, it is possible the private key of the mGuard web graphic user interface could end up disclosed. An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
All users of the affected mGuard firmware Versions 8.0.0 and 8.0.1 should upgrade to mGuard firmware Version 8.0.2. Innominate recommends users update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.
For more information regarding this vulnerability and specific instructions on how to install the latest firmware version, click on the Innominate Security Advisory.
Monday, April 14, 2014 @ 07:04 PM gHale
While most of the buzz surrounding OpenSSL’s Heartbleed vulnerability focused on websites and other servers, the SANS Institute said software running on PCs, tablets and more is just as vulnerable.
SANS Institute analyst Jake Williams said black hats knew about the data-leaking bug well before its public discovery and disclosure.
Williams – aka MalwareJake – said vulnerable OpenSSL installations on the client side can undergo attacks from malicious servers to extract passwords and cryptographic keys from users’ computers and gadgets, according to a report in The Register.
Williams said a dodgy server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve up to 64KB of highly sensitive data from the targeted system at a time. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, he said.
Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.
Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said, and noted that it’s going to be hard to identify vulnerabilities in some environments. For example, he said, it’s going to be hard to tell if Windows client programs compiled against vulnerable OpenSSL versions.
And that’s not to mention all the “non-port-443″ software that might end up compiled to vulnerable versions of OpenSSL — email servers, databases, LDAP services, and so on.
Williams also said the risk the vulnerability could reveal site certificates means if an attacker has previously recorded encrypted sessions, he or she will now be able to decrypt that traffic.
Worse, he said it’s also feasible what turns up in the leaked memory could give attackers hints at how to take the axe to other software, turning known bugs currently seen as “hard to exploit” into easy kills.
Another issue easily overlooked, he said, is in the cloud. If you’re running VMs in a cloud environment: Admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.
User training is going to be another big issue: End-users are going to have to be trained to check certificate issue dates, to make sure their trusted services (like the bank) have re-issued their certificates.
Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t undergo updates.
Thursday, April 10, 2014 @ 06:04 PM gHale
There is a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication, according to a report in ICS-CERT.
The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker, the report said.
This vulnerability is called “heartbleed.” This vulnerability discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security ended up reported to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.
ICS-CERT issued an alert as an early notice of the report and identify baseline mitigations for reducing risks to this and other cybersecurity attacks.
For details, click on this US-CERT Vulnerability Note.
Click here for the heartbleed public report.
As OpenSSL may see use as a third-party component, asset owners, operators, and SCADA software developers should investigate the use of the affected versions of OpenSSL in their environments.
OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates.
Thursday, April 3, 2014 @ 03:04 PM gHale
A serious vulnerability that eBay fixed had the potential to allow bad guys to steal from ProStores shops and swipe customer credit cards, a researcher said.
This vulnerability in eBay-owned ProStores not only opened the door to store account hijackers, but also leaked “full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text,” said Mark Litchfield, a security researcher at Securatary, who also found the defect.
ProStores hosts online shops for eBay sellers to use to sell merchandise, and provides a wizard for creating the traders’ websites.
“Like the gostorego vulnerability (also eBay), we could shop for free by giving ourselves store credit or gift cards or created our own orders for free,” Litchfield said.
After he reported the bug in February, the company fixed the problem, clearing the way for Litchfield to go public.
In order to gain control of a victim’s eBay ProStores site, the attacker must create her own ProStores account, which is not difficult, and then use that as a springboard to infiltrate the victim’s web bazaar, Litchfield said.
“In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store,” Litchfied said. “With this attack I guess I was more shocked than anything to find the credit card information being displayed back in clear text. If people are buying things online, why would the full card information need to return in clear text to the administrator?”
ProStores targets small to medium businesses, and eBay bought it in 2005. The store offers inventory management, supplier communication and integration with Quickbooks, Dreamweaver and other tools. Litchfield also said there was a XML external entity vulnerability in ProStores.
Securatary said it had reported the problem to eBay on February 11 and they fixed it March 20.
Wednesday, April 2, 2014 @ 08:04 AM gHale
A WinRAR vulnerability is part of a malware campaign targeting government and international organizations, as well as Fortune Global 500 companies.
WWinRAR is a Windows data compression tool that focuses on the RAR and ZIP data compression formats for Windows users.
This vulnerability creates a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether, said Israeli security researcher, Danor Cohen.
From an attacker’s standpoint, they can effectively compress a Trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target ends of compromised.
Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers found it can end up exploited on all versions of WinRAR, including version 5.1.
The exploit is possible because WinRAR will compress a file and create new properties, including an extra ‘file name’ input. By altering one of the ‘file name’ inputs, the ZIP will say it contains something different from what is actually inside.
IntelCrawler found starting March 24 attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” targeting aerospace companies, military subcontractors, embassies, and firms on the Fortune Global 500 list.
In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘FAX.zip’ – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.
Researchers analyzed the attachment and determined it was a Zeus-like Trojan capable of establishing remote administration channels with the infected victim, and gathering passwords and saved forms, according to the research.
Tuesday, March 25, 2014 @ 06:03 PM gHale
An app exploiting an Android vulnerability triggers the continuous rebooting of a device.
Ibrahim Balic, the creator of the Proof-of-Concept (PoC) that exploits the vulnerability said it can end up exploited via apps that have been equipped with an extremely long value (387,000 characters+ characters) inserted into the “appname” field in strings.xml.
Trend Micro researchers said the flaw exists by saying, “our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.”
“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.
“An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”
The flaw apparently affects mobile devices with Android OS versions 4.0 and above.