ISSSource White Papers

Posts Tagged ‘vulnerability’

Wednesday, July 22, 2015 @ 11:07 AM gHale

There is a vulnerability in Hospira’s Symbiq Infusion System, which could end up exploited to remotely control the device, in conjunction with previously identified vulnerabilities, according to a report from ICS-CERT.

Hospira verified the vulnerability only exists in the Symbiq Infusion System and the company provided compensating measures to help mitigate risks associated with the vulnerability. As previously announced by Hospira in 2013, the Symbiq Infusion System ended up May 31, this year and the company will fully remove it from the market by December.

Eaton Fixes Power System Hole
Siemens Fixes Authentication Bypass Hole
Siemens Fixes XSS Vulnerability
PACTware Fixes Exceptional Conditions Hole

Independent researcher Billy Rios identified the vulnerability and Kyle Kamke of Ramparts LLC assisted in the development of the proof-of-exploit.

Symbiq Infusion System, Version 3.13 and prior versions suffer from the issue.

Successful exploitation of this vulnerability, in conjunction with previously reported vulnerabilities, could allow an attacker to remotely control the operation of the device, potentially impacting prescribed therapy and patient safety.

Hospira is a U.S.-based company that maintains offices in several countries around the world.

The affected product, the Symbiq Infusion System, is an intravenous pump that delivers medication to patients. The affected product sees action across the healthcare and public health sectors. The Symbiq Infusion System sees use only in the U.S. and Canada.

With remote access and elevated privileges, the Symbiq Infusion System can remotely perform unanticipated operations.

CVE-2015-3965 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability. An attacker with medium skill would be able to exploit this vulnerability.

Asset owners should perform a risk assessment by examining their specific clinical use of the affected product in the host environment. In addition, asset owners should evaluate implementing the following defensive measures to protect against this and other risks:
• Disconnect the affected product from the network. Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to update manually. Manual updates to each pump can be labor intensive and prone to entry error.
• Ensure unused ports close off, including Port 20/FTP and Port 23/TELNET.
• Hospira recommends healthcare providers contact Hospira’s technical support to change the default password used to access Port 8443 or to close Port 8443. Contact Hospira’s technical support at 800-241-4002. Hospira is working directly with Symbiq customers to update the configuration of the pump to close access ports.
• Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443.
• Use good design practices that include network segmentation. Use DMZs with properly configured firewalls to selectively control traffic and monitor traffic passed between zones and systems to identify anomalous activity. Use the static nature of these isolated environments to look for anomalous activities.
• Maintain layered physical and logical security to implement defense-in-depth security practices for environments operating medical devices.
• Isolate all medical devices from the Internet and untrusted systems.

Tuesday, June 9, 2015 @ 04:06 PM gHale

There is a hard-coded SSH and HTTPS encryption key vulnerability in N-Tron’s 702-W Industrial Wireless Access Point device, according to a report on ICS-CERT.

The vulnerability, discovered by independent researcher Neil Smith of (ZeroFox) Riskive Security, could allow an attacker to compromise communications and compromise the integrity of the device.

Sinapsi Fixes eSolar Light Hole
XZERES Fixes Wind Turbine Hole
Moxa Fixes Buffer Overflow Hole
Beckwith Fixes TCP Initial Sequence Hole

N-Tron is aware of the reported vulnerability, and ICS CERT has not been able to successfully coordinate this issue with N-Tron or its parent company Red Lion because of the vendor’s unresponsiveness.

At this point there is no fix, patch, or update by N-Tron that mitigates this remotely exploitable vulnerability, ICS-CERT said. ICS-CERT sent out an advisory is to inform users of the potential risk of using this equipment and for them to increase compensating measures if possible.

The N-Tron 702-W Industrial Wireless Access Point, all versions suffer from the issue.

The SSH and HTTPS private keys for secure communication can end up copied from the device and the keys are the same on each device. Users do not have the ability to generate a new private key. These keys can intercept communications from these devices to completely compromise the confidentiality and integrity of the transmitted data.

Spectris plc is a United Kingdom-based instrumentation and controls company that acquired N Tron on October 1, 2010, and is working closely with its Red Lion Controls subsidiary. In February 2013, Red Lion, Sixnet, and N-Tron combined under the Red Lion Brand. N-Tron is a Mobile, AL-based company that has representatives around the world, including Canada, China, India, Switzerland, and the United Kingdom.

N-Tron products see action across several sectors including commercial facilities; energy; nuclear reactors, materials, waste; transportation systems, and water and wastewater systems. N-Tron estimates these products see use in over 50 countries worldwide.

The SSH and HTTPS private keys used for secure traffic communication are hard-coded on the device and are not unique. An attacker can use these keys from one device to decrypt traffic from any other device. Users do not have the ability to generate new keys for the device. An attacker has the ability to use the key to completely compromise the confidentiality and integrity of the wireless traffic.

CVE-2012-4716 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.8.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

ICS-CERT recommends users contact N-Tron customer support with further questions and for mitigation strategies.

Friday, May 1, 2015 @ 06:05 PM gHale

A vulnerability present in version 1.3 of RealTek SDK (software development kit) can end up exploited by an attacker to execute arbitrary code on the device.

The kit sees use in broadband routers from D-Link and Trendnet, said researchers at HP’s Zero Day Initiative.

Misconfigured DNS Servers Vulnerable
Brute Force Attacks: Trawling for Passwords
Botnet Morph ‘Every Few Hours’
Global Effort: Botnet Taken Down

Although only the products of the two manufacturers were vulnerable, the list could end up larger as RealTek SDK sees use in the firmware production of wireless and gateway controllers.

The glitch first ended up reported on August 13 to HP’s Zero Day Initiative by security researcher Ricky Lawshae, who found D-Link and Trendnet products suffered from the issue. The vendor received repeated notices of the problem, but at the moment a patch is not available.

The flaw resides in the “MiniIGD” component part of the SOAP (simple object access protocol) service, which handles the communication between web services.

“The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges,” an advisory from ZDI said.

Mitigating the risk can occur by limiting interaction with the service only trusted clients. This can occur by implementing firewall rules or by creating whitelists with the machines that end up allowed communication.

Security researcher Stefan Viehböck said MiniIGD appears to be a fork from an old version of MiniUPnP. Some researchers suggest turning off the Universal Plug and Play (UPnP) service, used for discovering clients in a local network. On some devices, UPnP can also end up accessed from the Internet, thus enabling a remote attack.

Even if RealTek comes up with a patch for the problem, it would not end up implemented on all affected devices since many of them no longer receive support from their manufacturers.

Thursday, January 15, 2015 @ 06:01 PM gHale

Google released details of a new privilege escalation vulnerability in Windows just as Microsoft was getting ready to send out a patch.

The issue is the vulnerability first came to Microsoft’s attention over 90 days ago and Google’s Project Zero automatically released the details when the Redmond software giant did not release a patch within the 90-day disclosure deadline.

Unpatched Windows 8.1 Hole Exposed
Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine

“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so),” Google said in its report. “In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced.”

“However, there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” Google said.

A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 published, but researchers said the vulnerability also affects Windows 7.

In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, Google told Microsoft the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.

In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.

Monday, December 29, 2014 @ 03:12 PM gHale

A vulnerability opens over 12 million routers around the world to remote compromise, researchers said.

“The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the ‘fortune’ of a request by manipulating cookies,” said researchers at Check Point.

Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine
Security Patch Boost for Flash Player
Cisco Patches Router Vulnerabilities

“Attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state,” the researchers said in blog post. “This, in effect, can trick the attacked device to treat the current session with administrative privileges — to the misfortune of the device owner.”

“All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser,” they said.

Once the device ends up compromised, the attacker can monitor the victims’ Internet connection and steal their credentials, personal and business data. The attacker could be in a nice position to compromise any other device connected to that network. The devices usually operate in the SOHO market.

Introduced in 2002, the vulnerability is in the embedded web server RomPager made by AllegroSoft, a widely embedded in firmware of routers by different manufacturers. The researchers don’t believe it to be an intentionally included backdoor.

After they discovered the flaw and notified AllegroSoft of it, the company told them they issued a fixed version to address the Misfortune Cookie vulnerability in 2005.

This version was provided to licensed manufacturers, but it is well known “the patch propagation cycle, however, is incredibly slow (sometimes non-existent) with these types of devices.”

As a result, devices today still ship with the vulnerable version in place. The researchers provided a list of suspected vulnerable router models, manufactured by TP-Link, Huawei, SmartAX, Zyxel, Netcomm, Edimax, and other companies.

Friday, August 22, 2014 @ 04:08 PM gHale

One thousand of the most popular free Android apps from Google Play have a vulnerability that can cause a man-in-the-middle (MitM) attack, researchers said.

These apps have an SSL/TLS vulnerability that an attacker can leverage to his or her advantage, said researchers at FireEye Mobile Security Team. They looked to see how many apps communicate with their servers via secure network protocols, and whether the apps that do have a correct implementation of the Android platform’s SSL libraries.

Android Gyroscopes Act as Listening Device
Android RAT can Take Control
Java to Android Ransomware Rescue
Impersonating Trusted Android Apps

The researches asked some of the tough questions: “Do they use trust managers that check certificate chains from remote servers? Does the hostname of the server extracted from the CA-issued certificate match the hostname of the server the application intends to connect to? Do the apps ignore SSL errors in WebKit (a component that renders server pages in mobile applications)?”

The results showed of the 1,000 tested apps, 614 applications use SSL/TLS, but 448 (around 73 percent of that 614) do not check certificates, 50 ( around 8 percent) use their own hostname verifiers that do not check hostnames, and of the 285 that use Webkit, 219 (around 77 percent) ignore SSL errors generated in it.

The numbers were a bit different when the researchers analyzed the top 10,000 most popular apps, but nevertheless bad.

“Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality,” the FireEye researchers said.

The team tested their findings by creating proof of concept MitM attacks against several of these popular apps and ad libraries they use, and found some sported SSL vulnerabilities in both. Most of these apps ended up downloaded several hundreds of times.

Click here for more details.

Friday, May 16, 2014 @ 04:05 PM gHale

Siemens reported to ICS-CERT an incorrect certificate verification in RuggedCom ROX based devices.

Siemens is working on a firmware update for the remotely exploitable vulnerability.

Wonderware Patches Heartbleed Hole
CSWorks Fixes SQL Injection Vulnerability
Patches for CENTUM CS 3000 Holes
Yokogawa Patches Multiple Holes

The following Siemens RuggedCom ROX-based devices suffer from the issue:
• ROX version 1.16, and
• ROX version 2.2 through 2.5

In RuggedCom ROX-based devices, GnuTLS sees use for client certificate verification. Because GnuTLS is vulnerable to an incorrect error handling issue within this function, an attacker would be able to perform man-in-the-middle attacks.

Munich-Germany-based Siemens has offices all over the world. It develops products mainly in the energy, healthcare and public health sectors, and transportation systems.

The affected products, RuggedCom switches and serial-to-Ethernet devices, connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.

ROX-based Ruggedcom devices use GnuTLS libraries to enable secure communication. GnuTLS suffers from incorrect error handling in certificate verification, which could allow man in-the-middle attacks, and this may affect multiple services in these devices.

The following client-side services use GnuTLS libraries:
• Secure Syslog (only affects ROX Version 1.16)
• Software upgrades with HTTPS-based connections. Nonsecure connections do not have the issue. (Only affects ROX Versions 2.4 and 2.5)
• FTPS (only affects ROX versions from v2.2 through v2.5 inclusive)

CVE-2014-0092 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.

Siemens is working on a firmware update to resolve this vulnerability. In the mean time, Siemens recommends using alternate services (e.g., SFTP) to secure communication. In cases where these alternative services are not viable, Siemens recommends ensuring data transfers only over trusted networks.

Siemens recommends the following for the affected services:
• Secure Syslog: Siemens recommends placing the syslog server inside the trusted network boundary until a corrected update is available.
• Software upgrade: When updating devices running the affected ROX versions, the identity of the update server is not verifiable. Siemens recommends placing the upgrade server inside the trusted network boundary.
• FTPS: Siemens recommends using SFTP for data transfer until a corrected update is available.

For more information, click on Siemens advisory SSA-839231.

Tuesday, April 29, 2014 @ 05:04 PM gHale

It appears a vulnerability in, a video content provider, ended up leveraged by attackers this month to launch large-scale distributed denial of service (DDoS) attacks, researchers said.

Sohu, which translates as “search fox,” is China’s eighth largest web site. It provides online media, gaming, search, community and mobile services. While Sohu is not popular among users in the West, it’s currently number 27 of the most visited website in the world.

DDoS Attacks a Smokescreen for Data Theft
Users Breaching Security Policies
Execs Not Seeing All Security Facts: Report
DDoS Techniques Changing

The attackers found a cross-site scripting (XSS) vulnerability in Sohu.TV, the company’s video streaming service, said researchers at Incapsula. Sohu officials patched the hole after Incapsula notified them.

“Once we uncovered the source of the browser-based DDoS attack and replicated persistent XSS vulnerability that allowed it to occur we immediately went on to share our findings with Sohu security team,” Incapsula researchers said.

“With this information in hand Sohu team could quickly evaluate the problem and respond with a rapid patch which fixed the security hole, rendering this browser-based botnet completely useless,” the researchers said.

Incapsula discovered the attack technique after one of their customers suffered a DDoS attack involving 20 million GET requests coming from more than 22,000 web browsers.

The attackers didn’t compromise the computers of 22,000 users. Instead, they leveraged the persistent XSS flaw to inject JavaScript code into the tag associated with the images on Sohu profiles.

The profiles in question were able to post comments on popular videos. Each time one of these videos loaded, the malicious code embedded inside the profile image executed, launching a DDoS attack against the designated target.

The GET requests went out at a rate of one per second. With some videos up to 30 minutes long, and a large number of users were viewing the same video at any given time, it was enough to disrupt a website that didn’t use any DDoS protection.

Monday, April 28, 2014 @ 06:04 PM gHale

There is a Zero Day vulnerability in all versions of Internet Explorer seeing use in “limited, targeted attacks,” Microsoft officials said.

They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.

DDoS Techniques Changing
SQL Injection Attacks Still Fierce
Insider Threat: Firms Aware, but Take No Action
Insider Threat Scares DoD IT Pros

All versions of Internet Explorer from 6 through 11 are vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on where IE runs in the default Enhanced Security Configuration are not vulnerable unless an affected site ends up placed in the Internet Explorer Trusted sites zone.

FireEye, which discovered the issue, said while the vulnerability affects all versions of IE, the attack is specific to versions 9, 10 and 11. It is a “use after free” attack in which memory objects in the browser end up manipulated after release. The attack bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

The specific exploit uses an Adobe Flash SWF file to manipulate the heap with a technique called heap feng shui, the FireEye researchers said.

EMET, the Enhanced Mitigation Experience Toolkit, will also make it more difficult to exploit this vulnerability.

FireEye Research Labs identified the IE Zero Day. This Zero Day bypasses ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

“Threat actors are actively using this exploit in an ongoing campaign which we have named ‘Operation Clandestine Fox,’” FireEye researchers said on a blog. “However, for many reasons, we will not provide campaign details. But we believe this is a significant Zero Day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.”

According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:
• IE 9: 13.9 percent
• IE 10: 11.04 percent
• IE 11: 1.32 percent

Collectively, in 2013, the vulnerable versions of IE accounted for 26.25 percent of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” the researchers said on their blog.

“The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.”

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Wednesday, April 23, 2014 @ 07:04 PM gHale

Oracle issued an advisory listing security updates and detailing what is known and unknown about the Heartbleed vulnerability’s impact.

“The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products,” Oracle said in its advisory. “Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-016.”

AirPort Update to Fend Off Heartbleed Flaw
Attacker Grabs Heartbleed VPN Sessions
Heartbleed Cuts Tor Capacity
Heartbleed Solution: All in a Honeypot

The Heartbleed bug potentially allows an attacker to steal data from the memory of a device or system running the flawed OpenSSL software and compromise the encryption protecting communications between it and other devices.

Products known to be vulnerable include and for which there are patches are: MySQL Connector/C 6.1.0-6.1.3; MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6 and 5.3.2; MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15 and 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17 and MySQL Workbench 6.1.4 and earlier.

Other products known to be vulnerable that have patches available are: Oracle Big Data Appliance; Oracle Communications Interactive Session Recorder 4.0.0 and later; Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40 and 3.3.50; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software; and Solaris 11.2.

There are other products considered likely to be vulnerable but have no fixes, such as Java ME — JSRs and Optional Packages and Oracle Communications Session Delivery Management Suite NNC 7.3. Several other products, including Java CAPS 6.2 and Siebel CRM, are potentially vulnerable but are still under investigation.

“Oracle’s Cloud security and development teams are aware of the publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’),” according to the advisory. “Oracle is investigating the implications of this issue across the Oracle stack.”

“The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls,” Oracle said. Oracle has assessed that the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) were not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160. Furthermore, Oracle has assessed our Cloud infrastructure using a number of automated and manual tests and continues to believe that it is not currently at risk from the CVE-2014-0160 vulnerability.”

Archived Entries