13 December 2018: Falco 0.13.0 - Files ≈ Packet Storm Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.
13 December 2018: HP Security Bulletin MFSBGN03835 1 - Files ≈ Packet Storm HP Security Bulletin MFSBGN03835 1 - The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users access to arbitrary details of the Local and LDAP users via POST method and to arbitrary details of other user's Fortify projects via GET method. Revision 1 of this advisory.
13 December 2018: HP Security Bulletin MFSBGN03837 1 - Files ≈ Packet Storm HP Security Bulletin MFSBGN03837 1 - A vulnerabilities in Apache Tomcat was addressed by Micro Focus Network Node Manager i. The vulnerability could be exploited Remote Cross-Site Scripting (XSS) and Remote Disclosure of Information. Revision 1 of this advisory.
13 December 2018: Red Hat Security Advisory 2018-3816-01 - Files ≈ Packet Storm Red Hat Security Advisory 2018-3816-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include memory disclosure and client-side security problems.
13 December 2018: Debian Security Advisory 4354-1 - Files ≈ Packet Storm Debian Linux Security Advisory 4354-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or bypass of the same-origin policy.
13 December 2018: WebDAV Server Serving DLL - Files ≈ Packet Storm This Metasploit module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotely and execute the provided export function. The export function needs to be valid, but the default meterpreter function can be anything. The process does write the dll to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV but does not load the dll from that location. This file should be removed after execution. The extension can be anything you'd like, but you don't have to use one. Two files will be written to disk. One named the requested name and one with a dll extension attached.
13 December 2018: Red Hat Security Advisory 2018-3822-01 - Files ≈ Packet Storm Red Hat Security Advisory 2018-3822-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include an use-after-free vulnerability.
13 December 2018: Red Hat Security Advisory 2018-3823-01 - Files ≈ Packet Storm Red Hat Security Advisory 2018-3823-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include an use-after-free vulnerability.
13 December 2018: Ubuntu Security Notice USN-3845-1 - Files ≈ Packet Storm Ubuntu Security Notice 3845-1 - Eyal Itkin discovered FreeRDP incorrectly handled certain stream encodings. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applies to Ubuntu 18.04 LTS and Ubuntu 18.10. Eyal Itkin discovered FreeRDP incorrectly handled bitmaps. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
12 December 2018: WordPress Snap Creek Duplicator Code Injection - Files ≈ Packet Storm When the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again.
12 December 2018: HotelDruid 2.3 SQL Injection - Files ≈ Packet Storm HotelDruid version 2.3 suffers from a remote SQL injection vulnerability.
Thu, 08 Nov 2018 18:58:48 +0000: VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks - CERT Recently Published Vulnerability Notes CWE-306:Missing Authentication for Critical Function - CVE-2018-5393 EAP Controller for Linux utilizes a Java remote method invocation(RMI)service for remote control. The RMI interface does not require any authentication before use. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. CWE-502:Deserialization of Untrusted Data - CVE-2015-6420 EAP Controller for Linux bundles a vulnerable version of Apache commons-collections v3.2.1 with the software,which appears to be the root cause of the vulnerability. Therefore,EAP Controller v2.5.3 and earlier are vulnerable to CVE-2015-6420 as documented in VU#576313. EAP Controller v2.5.3 and earlier for Linux are affected by both vulnerabilities.
Wed, 07 Nov 2018 19:43:28 +0000: VU#395981: Self-Encrypting Drives Have Multiple Vulnerabilities - CERT Recently Published Vulnerability Notes CVE-2018-12037 There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This can allow an attacker to access the key without knowing the password provided by the end user,allowing the attacker to decrypt information encrypted with that key. According to National Cyber Security Centre - The Netherlands(NCSC-NL),the following products are affected by CVE-2018-12037: Crucial(Micron)MX100,MX200 and MX300 drives Samsung T3 and T5 portable drives Samsung 840 EVO and 850 EVO drives(In"ATA high" mode these devices are vulnerable,In"TCG"or"ATA max"mode these devices are NOT vulnerable.) CVE-2018-12038 Key information is stored within a wear-leveled storage chip. Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment,old versions of data may exist in the previous segment for some time after it has been updated(until that previous segment is overwritten). This means that if a key is updated with a new password,the previous version of the key(either unprotected,or with an old password)could be accessible,negating the need to know the updated password. According to NCSC-NL,the following products are affected by CVE-2018-12038: Samsung 840 EVO drives Other products were not reported to have been tested,and similar vulnerabilities may be found in those products.
Wed, 07 Nov 2018 19:22:07 +0000: VU#317277: Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow - CERT Recently Published Vulnerability Notes CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 - also known as BLEEDINGBIT The following Texas Instrument chips are affected: CC2640(non-R2)with BLE-STACK version 2.2.1 or an earlier version CC2650 with BLE-STACK version 2.2.1 or an earlier version CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22(BLE-STACK 3.0.0)CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38(BLE-STACK 2.3.3)or an earlier version The above Texas Instruments controllers contain BLE-Stacks with a memory corruption vulnerability resulting from the mishandling of BLE advertising packets. The function llGetAdvChanPDU that is part of the embedded ROM image in both chips handles the incoming advertising packets and parses their headers. It copies the contents to a separate buffer provided by the calling function. The incorrect length of the packet is taken and ends up being parsed as larger packets than originally intended. If the incoming data is over a certain length,the function will call the halAssertHandler function,as defined by the application running on top of the stack,and not stop execution. Since the flow of execution does not stop,it will copy the overly large packet to the buffer and cause a heap overflow. CVE-2018-7080 - also known as BLEEDINGBIT The following Texas Instruments devices are affected: CC2642R CC2640R2 CC2640 CC2650 CC2540 CC2541 An attacker could exploit the overflow in CVE-2018-16986 on certain network devices that use the above Texas Instruments chips if they have the Over the Air firmware Download(OAD)feature enabled to overwrite the firmware. The OAD feature allows for remote firmware updates of some BLE chips. An attacker could connect to a BLE chip on a vulnerable access point(either without authentication or by obtaining the password through other means depending on the implementation)and upload their own malicious firmware,which may contain malicious code that could give them complete control over the access point.
Mon, 05 Nov 2018 19:20:42 +0000: VU#339704: Cisco ASA and FTD SIP Inspection denial-of-service vulnerability - CERT Recently Published Vulnerability Notes Cisco Adaptive Security Appliance(ASA)software and Cisco Firepower Threat Defense(FTD)software fails to properly parse SIP traffic,which can allow an attacker to trigger high CPU usage,resulting in a denial-of-service condition on affected devices. This vulnerability is exposed if SIP Inspection is enabled on affected devices,which is the default configuration on ASA devices. The Cisco SIP Inspection feature is advertised to"... enforce the sanity of the SIP messages,as well as detect SIP-based attacks."
Tue, 23 Oct 2018 17:34:21 +0000: VU#598349: Automatic DNS registration and proxy autodiscovery allow spoofing of network services - CERT Recently Published Vulnerability Notes The Web Proxy Automatic Discovery(WPAD)protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration,but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of“wpad” if a DHCP response is unavailable. An attacker with local area network(LAN)access may be able to add a device with the name“wpad” to the network,which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers(including,but not limited to,Google Wifi and Ubiquiti UniFi)automatically register device names as DNS A records on the LAN,which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD. Other autodiscovery names such as ISATAP may also be exploitable.
Tue, 16 Oct 2018 18:51:35 +0000: VU#176301: Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App - CERT Recently Published Vulnerability Notes CWE 798:୕se of Hard-Coded Credentials - CVE–2018-5399 The DCU 210E firmware contains an undocumented Dropbear SSH server with a hardcoded username and password. The password is easily susceptible to cracking. CWE-346:rigin Validation Error - CVE–2018-5400 The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. CWE-319:ୃleartext Transmission of Sensitive Information - CVE–2018-5401 The devices transmit process control information via unencrypted Modbus communications. CWE-319:ୃleartext Transmission of Sensitive Information - CVE–2018-5402 The embedded webserver uses unencrypted plaintext for the transmission of the administrator PIN.
Fri, 12 Oct 2018 12:31:15 +0000: VU#641765: Linux kernel IP fragment re-assembly vulnerable to denial of service - CERT Recently Published Vulnerability Notes CWE-400:Uncontrolled Resource Consumption('Resource Exhaustion')- CVE-2018-5391 The Linux kernel,versions 3.9+,is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability(CVE-2018-5391)became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.
Mon, 01 Oct 2018 19:38:27 +0000: VU#332928: Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities - CERT Recently Published Vulnerability Notes Ghostscript contains an optional -dSAFER option,which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER,which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript,such as ImageMagick,GraphicsMagick,evince,Okular,Nautilus,and others. Exploit code for this vulnerability is publicly available.
Fri, 14 Sep 2018 19:29:12 +0000: VU#962459: TCP implementations vulnerable to Denial of Service - CERT Recently Published Vulnerability Notes CWE-400:Uncontrolled Resource Consumption('Resource Exhaustion')- CVE-2018-5390 Linux kernel versions 4.9+can be forced to make very expensive calls to tcp_collapse_ofo_queue()and tcp_prune_ofo_queue()for every incoming packet which can lead to a denial of service. CWE-400:Uncontrolled Resource Consumption('Resource Exhaustion')- CVE-2018-6922 A TCP data structure in supported versions of FreeBSD(11,11.1,11.2,10,and 10.4)use an inefficient algorithm to reassemble the data. For both vulnerabilities,an attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus,the attacks cannot be performed using spoofed IP addresses.
Fri, 14 Sep 2018 19:19:57 +0000: VU#787952: Android and iOS apps contain multiple vulnerabilities - CERT Recently Published Vulnerability Notes Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings,allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally,some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access. Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps,and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge(adb). Kryptowire,in collaboration with DHS S&T and the NCCIC,previously discovered and reported the following vulnerabilities. CWE-295:Improper Certificate Validation The software does not validate,or incorrectly validates,a certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. Vulnerable app: (CVE-2017-13105) Virus Cleaner(Hi Security)- Antivirus,Booster,220.127.116.119 CWE-798:Use of Hard-coded Credentials The software contains hard-coded credentials,such as a password or cryptographic key,which it uses for its own inbound authentication,outbound communication to external components,or encryption of internal data. Vulnerable apps: (CVE-2017-13100) The Moron Test,6.3.1,2017-05-04,iOS(CVE-2017-13101)musical.ly - your video social network,6.1.6,2017-10-03,iOS(CVE-2017-13102)Asphalt Xtreme:Offroad Rally Racing,1.6.0,2017-08-13,iOS(CVE-2017-13104)UberEATS:Uber for Food Delivery,1.108.10001,2017-11-02,iOS(CVE-2017-13105)Virus Cleaner(Hi Security)- Antivirus,Booster,18.104.22.1689,2017-09-13,Android(CVE-2017-13106)CM Launcher 3D - Theme,wallpaper,Secure,Efficient,5.0.3,2017-09-19,Android(CVE-2017-13107)Live.me - live stream video chat,3.7.20,2017-11-06,Android(CVE-2017-13108)DFNDR Security:Antivirus,Anti-hacking&Cleaner,5.0.9,2017-11-01,Android **REJECT**DO NOT USE THIS CANDIDATE NUMBER(CVE-2017-13103)This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. The CVSS score below reflects a worst-case scenario of code execution as a system user,however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.
Thu, 13 Sep 2018 13:05:47 +0000: VU#906424: Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface - CERT Recently Published Vulnerability Notes The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC,which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code. Compatibility with other Windows versions is possible with further modifications. This vulnerability is being exploited in the wild.
Mon, 10 Sep 2018 19:07:37 +0000: VU#982149: Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF) - CERT Recently Published Vulnerability Notes Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. When a program attempts to access data in memory,the logical memory address is translated to a physical address by the hardware. Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered,there is a gap before resolution where the processor will use speculative execution to try to load data. During this time,the processor could speculatively access the level 1 data cache,potentially allowing side-channel methods to infer information that would otherwise be protected. More information about L1 terminal fault can be found here. CWE-208:Information Exposure Through Timing Discrepancy CVE-2018-3615 - L1 Terminal Fault(L1TF)SGX - also known as Foreshadow or Foreshadow-SGX Systems with microprocessors utilizing speculative execution and Intel software guard extensions(Intel SGX)may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. An unprivileged attacker can execute transient instructions,and once the processor determines that it should not have speculatively executed them,the changes are discarded and a page fault is issued. After the OS catches the fault,the user-level exception handler is called and the user can measure the secret enclave byte and use this to find the secret index in the CPU cache. CVE-2018-3620 - L1 Terminal Fault(L1TF)OS/SMM - also known as Foreshadow-OS Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis. When the OS kernel decides to swap virtual memory,it may leave metadata in a page table after unmapping a virtual page that could point to a valid physical address that contains sensitive data. After the kernel clears this data,it produces a terminal fault while dereferencing the unmapped page. Even with the terminal fault,the L1 data cache still sends the unauthorized data on to the transient out-of-order execution in case the metadata present represents a cached physical address. The information that could be read by an attacker can include information from the operating system's kernel(OS)and the System Management Mode(SMM). CVE-2018-3646 - L1 Terminal Fault(L1TF)VMM - also known as Foreshadow-VMM Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. Since a guest VM has control over the first address mapping,they can trigger terminal faults that allow them to transiently read any cached physical memory on the system,including memory from other VMs. Unlike L1TF OS/SMM,an attacker exploiting the virtual machine can control physical addresses used to access the L1 cache during transient instructions and even point to guest physical memory.
Fri, 17 Aug 2018 15:13:34 +0000: VU#857035: IKEv1 Main Mode vulnerable to brute force attacks - CERT Recently Published Vulnerability Notes The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. (CVE-2018-5389) It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode however, only an online attack against PSK authentication was thought to be feasible.
Fri, 03 Aug 2018 12:50:47 +0000: VU#307144: mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR - CERT Recently Published Vulnerability Notes ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.