19 August 2019: FortiOS 5.6.7 / 6.0.4 Credential Disclosure - Files ≈ Packet Storm This Metasploit module exploits FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file.
19 August 2019: YouPHPTube 7.2 SQL Injection - Files ≈ Packet Storm YouPHPTube version 7.2 suffers from a remote SQL injection vulnerability in userCreate.json.php.
19 August 2019: Mandos Encrypted File System Unattended Reboot Utility 1.8.8 - Files ≈ Packet Storm The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
19 August 2019: Ubuntu Security Notice USN-4078-2 - Files ≈ Packet Storm Ubuntu Security Notice 4078-2 - USN-4078-1 fixed several vulnerabilities in openldap. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. It was discovered that OpenLDAP incorrectly handled rootDN delegation. A database administrator could use this issue to request authorization as an identity from another database, contrary to expectations. Various other issues were also addressed.
19 August 2019: Ubuntu Security Notice USN-4102-1 - Files ≈ Packet Storm Ubuntu Security Notice 4102-1 - It was discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. It was discovered that LibreOffice incorrectly handled embedded scripts in document files. If a user were tricked into opening a specially crafted document, a remote attacker could possibly execute arbitrary code. Various other issues were also addressed.
19 August 2019: Ubuntu Security Notice USN-4100-1 - Files ≈ Packet Storm Ubuntu Security Notice 4100-1 - It was discovered that KConfig and KDE libraries have a vulnerability where an attacker could hide malicious code under desktop and configuration files. It was discovered that KConfig allows remote attackers to write to arbitrary files via a ../ in a filename in an archive file.
19 August 2019: Red Hat Security Advisory 2019-2519-01 - Files ≈ Packet Storm Red Hat Security Advisory 2019-2519-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow, bypass, cross site scripting, denial of service, information leakage, and null pointer vulnerabilities.
19 August 2019: Debian Security Advisory 4503-1 - Files ≈ Packet Storm Debian Linux Security Advisory 4503-1 - Three vulnerabilities have been discovered in the Go programming language; "net/url" accepted some invalid hosts in URLs which could result in authorisation bypass in some applications and the HTTP/2 implementation was susceptible to denial of service.
19 August 2019: Gentoo Linux Security Advisory 201908-25 - Files ≈ Packet Storm Gentoo Linux Security Advisory 201908-25 - A vulnerability in hostapd and wpa_supplicant could lead to a Denial of Service condition. Versions less than 2.8 are affected.
CERT VULNERABILITY DATABASE
Mon, 19 Aug 2019 18:47:49 +0000: VU#918987: Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks - CERT Recently Published Vulnerability Notes Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two Bluetooth devices must pair with each other and establish a link key that is used to generate the encryption key. For example,assume that there are two controllers attempting to establish a connection:Alice and Bob. After authenticating the link key,Alice proposes that she and Bob use 16 bytes of entropy. This number,N,could be between 1 and 16 bytes. Bob can either accept this,reject this and abort the negotiation,or propose a smaller value. Bob may wish to propose a smaller N value because he(the controller)does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount,Alice can accept it and request to activate link-layer encryption with Bob,which Bob can accept. An attacker,Charlie,could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte,which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob's acceptance message to Alice and change the entropy proposal to 1 byte,which Alice would likely accept,because she may believe that Bob cannot support a larger N. Thus,both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active,without acknowledging or realizing that N is lower than either of them initially intended it to be.
Sat, 17 Aug 2019 22:06:51 +0000: VU#605641: HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion - CERT Recently Published Vulnerability Notes The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.
Thu, 01 Aug 2019 17:20:20 +0000: VU#489481: Cylance Antivirus Products Susceptible to Concatenation Bypass - CERT Recently Published Vulnerability Notes Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm(specifically,a neural network)to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change most known-malicious files in simple ways that cause the Cylance product to misclassify the file as benign. Several common malware families,such as Dridex,Gh0stRAT,and Zeus,were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85%of malicious files tested. Cylance reports a 50%bypass creation success rate based on internal testing. Either way,attacker effort to find a successful bypass would be low. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware,just appending strings to it. The specific attack reported by Skylight Cyber relies on a particular set of strings used by the Cylance product. Although Cylance used an ensemble model that made some uncommon model design choices to achieve a white-listing functionality,this over-reliance on specific details when classifying a file is an instance of a common weakness in machine learning algorithms. For a comprehensive discussion of attacks on machine learning systems,see Papernot N,McDaniel P,Sinha A,Wellman MP. SoK:Security and privacy in machine learning. IEEE EuroS&P 2018. Because this flaw is an instance of a broader category of weaknesses in machine learning algorithms,we do not expect an easy solution. Cylance describes their response as"three-fold:First,we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second,we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly,we have removed the features in the model that were most susceptible to tampering."This patch should stop the specific keywords used by the Skylight Cyber researchers from allowing an attacker to bypass detection and increase attacker effort required to find similar bypass techniques. However,the method described by the Skylight Cyber researchers to find and recover the features of the Cylance product is likely to enable the recovery of manipulable features from other security products that rely on machine learning. Although Cylance has removed features"most susceptible to tampering,"our understanding of adversarial manipulation of machine learning classifiers in other domains suggests that the remaining features almost certainly provide adequate freedom for tampering. This inference is based on the structural similarity of the Cylance machine learning model(a neural network)to models that have been successfully deceived in the domains of,for example,facial recognition or visual recognition in self-driving cars. There is some evidence that deception remains relatively easy despite the structure of computer network traffic; we are unaware of public evidence as to whether file structure carries the same limitations. This environment is the context behind and likely driver of Cylance's statement that"AI and machine learning models are,by nature,living models. They are designed to evolve and do require periodic retraining and field servicing when appropriate."
Wed, 17 Jul 2019 10:14:27 +0000: VU#790507: Oracle Solaris vulnerable to arbitrary code execution via /proc/self - CERT Recently Published Vulnerability Notes The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the current(self)process from modifying itself via/proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.
Mon, 15 Jul 2019 20:20:40 +0000: VU#129209: LLVMs Arm stack protection feature can be rendered ineffective - CERT Recently Published Vulnerability Notes The stack protection feature provided in the LLVM Arm backend is an optional mitigating feature used to protect against buffer overflows. It works by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie with the LocalStackSlotAllocation function to ensure that it has not changed or been overwritten. If the value has changed,then the function will terminate. Since it currently pre-allocates the stack protector before the local variables in the stack,it's possible that a new stack protector can be allocated later in the process. If that happens,it leaves the stack protection ineffective as the new stack protector slot appears after the local variables that it is meant to protect. Additionally,it is also possible for the stack cookie pointer to spill to the stack and potentially be overwritten. This could happen in an area on the stack before the stack protector slot,rendering it ineffective.
Wed, 19 Jun 2019 02:24:29 +0000: VU#576688: Microsoft Windows RDP can bypass the Windows lock screen - CERT Recently Published Vulnerability Notes In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication Bypass Using an Alternate Path or Channel(CVE-2019-9510) Starting with Windows 10 1803(released in April 2018)and Windows Server 2019,the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect,upon Automatic Reconnection the RDP session will be restored to an unlocked state,regardless of how the remote system was left. For example,consider the following steps: User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP. User locks remote desktop session. User leaves the physical vicinity of the system being used as an RDP client At this point,an attacker can interrupt the network connectivity of the RDP client system. The RDP client software will automatically reconnect to the remote system once internet connectivity is restored. But because of this vulnerability,the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered. Two-factor authentication systems that integrate with the Windows login screen,such as Duo Security MFA,may also bypassed using this mechanism. We suspect that other MFA solutions that leverage the Windows login screen are similarly affected. Any login banners enforced by an organization will also be bypassed. It is important to note that this vulnerability is with the Microsoft Windows lock screen's behavior when RDP is being used,and the vulnerability is present when no MFA solutions are installed. While MFA product vendors are affected by this vulnerability,the MFA software vendors are not necessarily at fault for relying on the Windows lock screen to behave as expected. Note that this vulnerability was originally described as requiring Network Level Authentication(NLA). We have since confirmed that this behavior is present whether or not NLA is enabled. Also,some combinations of RDP clients and Windows versions prior to Windows 10 1803 and Server 2019 may also demonstrate automatic session unlocking upon RDP reconnect. In such cases,neither MFA integrated with the login screen nor login banner displaying is bypassed in our testing. Although these cases are a different issue than VU#576688,the workarounds listed in this vulnerability note should still be applied to prevent these similar symptoms.
Wed, 12 Jun 2019 17:30:47 +0000: VU#119704: Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability - CERT Recently Published Vulnerability Notes Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability,exploitation using the publicly-described technique is limited to files where the current user has write access,in our testing. As such,the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.
Wed, 05 Jun 2019 21:33:31 +0000: VU#871675: WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant - CERT Recently Published Vulnerability Notes CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous"implementation"vulnerabilities may involve modifying the protocol. WPA3 uses Simultaneous Authentication of Equals(SAE),also known as Dragonfly Key Exchange,as the initial key exchange protocol,replacing WPA2's Pre-Shared Key(PSK)protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components,as implemented with Extensible Authentication Protocol Password(EAP-PWD)and SAE,are vulnerable as follows: CVE-2019-9494:SAE cache attack against ECC groups(SAE side-channel attacks)- CWE-208 and CWE-524 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. CVE-2019-9495:EAP-PWD cache attack against ECC groups(EAP-PWD side-channel attack)- CWE-524 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. Versions of hostapd and wpa_supplicant versions 2.7 and earlier,with EAP-PWD support are vulnerable. CVE-2019-9496:SAE confirm missing state validation - CWE-642 An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. CVE-2019-9497:EAP-PWD reflection attack(EAP-PWD missing commit validation)- CWE-301 The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9498:EAP-PWD server missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in hostapd EAP Server,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9499:EAP-PWD peer missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in wpa_supplicant EAP Peer,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit.
Wed, 22 May 2019 14:19:27 +0000: VU#169249: PrinterLogic Print Management Software fails to validate SSL certificates or the integrity of software updates. - CERT Recently Published Vulnerability Notes PrinterLogic versions up to and including 126.96.36.199 are vulnerable to multiple attacks. The PrinterLogic agent,running as SYSTEM,does not validate the PrinterLogic Management Portal's SSL certificate,validate PrinterLogic update packages,or sanitize web browser input. CVE-2018-5408:The PrinterLogic Print Management software does not validate,or incorrectly validates,the PrinterLogic management portal's SSL certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. (C WE-295) CVE-2018-5409:PrinterLogic Print Management software updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server,performing DNS spoofing,or modifying the code in transit. (CWE-494) CVE-2019-9505:PrinterLogic Print Management software does not sanitize special characters allowing for remote unauthorized changes to configuration files. (CWE-159)
Thu, 16 May 2019 17:12:21 +0000: VU#400865: Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input - CERT Recently Published Vulnerability Notes CVE-2019-1649:Secure Boot Tampering,also known as Thrangrycat The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array(FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring chain of trust for software. The secure boot can be bypassed by modifying the bitstream of the FPGA,allowing an authenticated,local attacker to make persistent modification to the root of trust for software integrity. CVE-2019-1862:IOS XE Web UI Command Injection The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated,remote attacker to execute commands as root on the underlying Linux shell.
Wed, 24 Apr 2019 15:03:05 +0000: VU#192371: VPN applications insecurely store session cookies - CERT Recently Published Vulnerability Notes Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0- CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier The following products and versions store the cookie insecurely in memory: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 - CVE-2019-11213:Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier - Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable,please contact CERT/CC at email@example.com with the affected products,version numbers,patch information,and self-assigned CVE.
Tue, 23 Apr 2019 18:28:38 +0000: VU#166939: Broadcom WiFi chipset drivers contain multiple vulnerabilities - CERT Recently Published Vulnerability Notes Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers. Vulnerabilities in the open source brcmfmac driver: CVE-2019-9503:If the brcmfmac driver receives a firmware event frame from a remote source,the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host,the appropriate handler is called. This frame validation can be bypassed if the bus used is USB(for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. CVE-2019-9500:If the Wake-up on Wireless LAN functionality is configured,a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host,or when used in combination with the above frame validation bypass,can be used remotely. NOTE:The brcmfmac driver only works with Broadcom FullMAC chipsets. Vulnerabilities in the Broadcom wl driver: Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point(AP). CVE-2019-9501:By supplying a vendor information element with a data length larger than 32 bytes,a heap buffer overflow is triggered in wlc_wpa_sup_eapol. CVE-2019-9502:If the vendor information element data length is larger than 164 bytes,a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. NOTE:When the wl driver is used with SoftMAC chipsets,these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used,these vulnerabilities would be triggered in the chipset's firmware.
Mon, 08 Apr 2019 21:16:03 +0000: VU#174715: MyCar Controls uses hard-coded credentials - CERT Recently Published Vulnerability Notes MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation,remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials(CWE-798)which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.