Posts Tagged ‘vulnerability’

Wednesday, April 16, 2014 @ 10:04 AM gHale

Innominate released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products, according to a report on ICS-CERT.

This vulnerability, discovered by researcher Bob Radvanovsky of Infracritical, could end up exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.

Heartbleed an ICS Irritation, Not Disaster
Siemens Fixing Heartbleed Vulnerability
Other Threats from Heartbleed
FBI Enters Heartbleed Alerts

mGuard firmware Versions 8.0.0 and 8.0.1 suffer from the issue.

mGuard firmware Versions 8.0.0 and 8.0.1 use the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the HeartBleed vulnerability.

Innominate is a Germany-based company that sells products worldwide through its international partners.

The affected products, the mGuard family of products, are industrial security routers. They are in critical infrastructure sectors, including communications, healthcare and public health, and critical manufacturing.

Because of the unpredictable memory layout of HTTPS communication, it is possible the private key of the mGuard web graphic user interface could end up disclosed. An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.

CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

An attacker with a low skill would be able to exploit this vulnerability.

All users of the affected mGuard firmware Versions 8.0.0 and 8.0.1 should upgrade to mGuard firmware Version 8.0.2. Innominate recommends users update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.

For more information regarding this vulnerability and specific instructions on how to install the latest firmware version, click on the Innominate Security Advisory.

Monday, April 14, 2014 @ 07:04 PM gHale

While most of the buzz surrounding OpenSSL’s Heartbleed vulnerability focused on websites and other servers, the SANS Institute said software running on PCs, tablets and more is just as vulnerable.

SANS Institute analyst Jake Williams said black hats knew about the data-leaking bug well before its public discovery and disclosure.

FBI Enters Heartbleed Alerts
FBI Snort Signatures for Heartbleed
Heartbleed Alert from ICS-CERT
Bypassing Heartbleed Bug

Williams – aka MalwareJake – said vulnerable OpenSSL installations on the client side can undergo attacks from malicious servers to extract passwords and cryptographic keys from users’ computers and gadgets, according to a report in The Register.

Williams said a dodgy server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve up to 64KB of highly sensitive data from the targeted system at a time. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, he said.

Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.

Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said, and noted that it’s going to be hard to identify vulnerabilities in some environments. For example, he said, it’s going to be hard to tell if Windows client programs compiled against vulnerable OpenSSL versions.

And that’s not to mention all the “non-port-443″ software that might end up compiled to vulnerable versions of OpenSSL — email servers, databases, LDAP services, and so on.

Williams also said the risk the vulnerability could reveal site certificates means if an attacker has previously recorded encrypted sessions, he or she will now be able to decrypt that traffic.

Worse, he said it’s also feasible what turns up in the leaked memory could give attackers hints at how to take the axe to other software, turning known bugs currently seen as “hard to exploit” into easy kills.

Another issue easily overlooked, he said, is in the cloud. If you’re running VMs in a cloud environment: Admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.

User training is going to be another big issue: End-users are going to have to be trained to check certificate issue dates, to make sure their trusted services (like the bank) have re-issued their certificates.

Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t undergo updates.

Thursday, April 10, 2014 @ 06:04 PM gHale

There is a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication, according to a report in ICS-CERT.

The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker, the report said.

Bypassing Heartbleed Bug
Flaw Found in TLS Protocol
Routers Hit in DNS Hijack
Hole in Cisco Small Biz Routers

This vulnerability is called “heartbleed.” This vulnerability discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security ended up reported to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.

ICS-CERT issued an alert as an early notice of the report and identify baseline mitigations for reducing risks to this and other cybersecurity attacks.

For details, click on this US-CERT Vulnerability Note.

Click here for the heartbleed public report.

As OpenSSL may see use as a third-party component, asset owners, operators, and SCADA software developers should investigate the use of the affected versions of OpenSSL in their environments.

OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates.

Wednesday, April 2, 2014 @ 08:04 AM gHale

A WinRAR vulnerability is part of a malware campaign targeting government and international organizations, as well as Fortune Global 500 companies.

WWinRAR is a Windows data compression tool that focuses on the RAR and ZIP data compression formats for Windows users.

New Worm Targets Word, Excel Files
Trojan Pushes out Ransomware
Ransomware Developers Give Back
Some Ransomware Better than Others

This vulnerability creates a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether, said Israeli security researcher, Danor Cohen.

From an attacker’s standpoint, they can effectively compress a Trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target ends of compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers found it can end up exploited on all versions of WinRAR, including version 5.1.

The exploit is possible because WinRAR will compress a file and create new properties, including an extra ‘file name’ input. By altering one of the ‘file name’ inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler found starting March 24 attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” targeting aerospace companies, military subcontractors, embassies, and firms on the Fortune Global 500 list.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘’ – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

Researchers analyzed the attachment and determined it was a Zeus-like Trojan capable of establishing remote administration channels with the infected victim, and gathering passwords and saved forms, according to the research.

Tuesday, March 25, 2014 @ 06:03 PM gHale

An app exploiting an Android vulnerability triggers the continuous rebooting of a device.

Ibrahim Balic, the creator of the Proof-of-Concept (PoC) that exploits the vulnerability said it can end up exploited via apps that have been equipped with an extremely long value (387,000 characters+ characters) inserted into the “appname” field in strings.xml.

WhatsApp Chats Visible on Android
Android RAT on Prowl
Android Devices Preloaded with Malware
Android Malware Using TOR

Trend Micro researchers said the flaw exists by saying, “our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.”

“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.

“An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”

The flaw apparently affects mobile devices with Android OS versions 4.0 and above.

Friday, February 21, 2014 @ 12:02 PM gHale

ICONICS created a patch that fixes a vulnerability in its GENESIS32 application during resolution of unrelated products, according to a report on ICS-CERT.

ICONICS GENESIS32 Version 9.0 and newer are not vulnerable to this ActiveX vulnerability. Attackers could exploit this vulnerability remotely, but it would require user interaction.

MatrikonOPC Patches Vulnerability
Siemens Fixes SIMATIC Vulnerabilities
RSLogix 5000 Password Hole Fixed
3S Fixes CoDeSys Runtime Toolkit Hole

The following ICONICS product suffer from the issue: GENESIS32 versions 8.0, 8.02, 8.04, and 8.05.

An attacker can craft a web page script that uses the insecure ActiveX control to launch any arbitrary executable code. Social engineering would need to occur to get a user to visit the attacker’s web page to launch the script.

The versions of GENESIS32 are vulnerable to this exploit because ActiveX installation is by default whether or not it sees use.

Foxborough, MA-based ICONICS has offices in the United Kingdom, Netherlands, Italy, India, Germany, France, Czech Republic, China and the Asia/Australia/Pacific Rim.

ICONICS GENESIS32 sees use across several sectors including commercial facilities, energy, food and agriculture, healthcare and public health, and water and wastewater systems.

The insecure ActiveX control ends up used by the GenLaunch.htm file, which launches the GENESIS32 applications.

CVE-2014-0758 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Exploits that target this vulnerability are not publicly available. An attacker with a moderate skill would be able to exploit this vulnerability.

ICONICS provides information and useful links related to its security patches at its web site.

ICONICS also recommends users of GENESIS32 V8 systems take the following mitigation steps:
• Use a firewall, place control system networks and devices behind firewalls and isolate them from the business network.
• Do not click web links or open unsolicited attachments in email messages.
• Install the patch.

The ICONICS web site also provides a downloadable Whitepaper on Security Vulnerabilities (registration required for download). The Whitepaper on Security Vulnerabilities contains overview, details and mitigation plan for regarding buffer overflow and memory corruption vulnerabilities for ICONICS GENESIS32 and GENESIS64 Supervisory Control and Data Acquisition (SCADA) products.

Tuesday, February 18, 2014 @ 03:02 PM gHale

Proof-of-concept exploit code is available for a vulnerability that allows attackers to launch denial-of-service (DoS) attacks against websites hosted on Apache Tomcat servers.

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.

DDoS Attacks Break Records
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies
Report: Security Needs Proactive Approach

The new DoS vulnerability is in the Apache Commons FileUpload, a stand-alone library developers can use to add file upload capability to their Java Web-based applications. This library is in Apache Tomcat versions 7 and 8 in by default in order to support the processing of mime-multipart requests.

The multipart content type also comes into play when an HTTP request needs to include different sets of data in its body. The different data sets end up separated by an encapsulation boundary — a string of text defined in the request headers to serve as the boundary.

Requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop, said security researchers from Trustwave. As a result, the Tomcat process will end up using all available CPU resources until it stops.

The vulnerability, tracked as CVE-2014-0050, ended up reported responsibly to the Apache Software Foundation Feb. 4, but accidentally made it out to the public two days later because of an error in addressing an internal email. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.

Since then, officials fixed the vulnerability in Commons FileUpload version 1.3.1 that released on Feb. 7 and a beta version of Tomcat 8.0.3 released last Tuesday. It also should come out in Apache Tomcat 7.0.51, but this version of the server has yet to release.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. “While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators,” Apache said in its advisory.

Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need manual application.

Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications — for example “request.getPart” or “request.getParts” methods — are vulnerable, said Oren Hafif, a security researcher at Trustwave, in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.

The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.

Thursday, February 13, 2014 @ 04:02 AM gHale

Facebook fixed an Instagram cross-site reference forgery (CSRF) first reported 22 August.

Freelance security researcher Christian Lopez Martin first found the vulnerability, which allowed access to users’ photos and information by making their private profiles public.

GitHub Hit by DDoS Attack, Again
Top 10 DDoS Attack Trends
More Malware Working in Cloud
Mobile Apps Growing in DDoS Attacks

The service’s lack of a mechanism to prevent CSRF attacks allowed Martin to create a simple CSRF exploit. Facebook deployed a fix on 6 September 2013, but Martin found a way to bypass that too. After yet another ineffective fix, a final patch fixed the problem 4 February 2014.

Click here for more information.

Wednesday, February 12, 2014 @ 11:02 PM gHale

MatrikonOPC created a patch that mitigates the improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application, according to a report on ICS-CERT.

Researchers Adam Crain of Automatak and independent researcher Chris Sistrunk, who discovered the vulnerability, tested the patch to validate it resolves the remotely exploitable vulnerability.

Siemens Fixes SIMATIC Vulnerabilities
RSLogix 5000 Password Hole Fixed
3S Fixes CoDeSys Runtime Toolkit Hole
Schneider Patches DNP3 Vulnerability

MatrikonOPC SCADA DNP3 OPC Server versions older than Version suffer from the issue.

An attacker could potentially use this vulnerability to craft an exploit to cause a denial-of-service (DoS) loop in the MatrikonOPC Server for DNP3 Windows service. This requires a reboot of the system to restart DNP3 communications. After the service falls into the DoS condition, the configuration tool experiences a read access violation.

MatrikonOPC is an Edmonton, Canada-based company that maintains offices in several countries around the world, including the United States, Canada, Germany, Russia, Australia, Singapore, Norway, Brazil, UK, India, Spain, Portugal, and Costa Rica.

The affected product, SCADA DNP3 OPC Server, is Microsoft Windows-based software that facilitates connectivity to multiple DNP3 compliant devices such as remote terminal units, programmable logic circuits, and meters. The SCADA DNP3 OPC Server deploys across several sectors including chemical and energy. MatrikonOPC products are used primarily in the US, Canada, and UK, according to MatrikonOPC.

The susceptible versions of MatrikonOPC contain a specific vulnerability that may cause the server to exit and communications to stop. This only happens after the server (master station) successfully connects to a device (outstation) that returns a malformed DNP3 packet. The process never recovers and cannot shut down. The Windows operating system on the master station would have to reboot to reestablish communications. After the service falls into a DoS condition, the configuration tool experiences a read access violation on further reboots.

CVE-2013-2829 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.

MatrikonOPC recommends customers obtain and install the patch.

Click on the Product Advisory section, and read the posted security notification.

Contact OPC Support to obtain the new version of the OPC server for DNP3. Install the new version of the OPC Server for DNP3.

The researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.

Archived Entries