Security Flaws & Fixes - W/E - 062918
Cisco Warns of Public Exploitation of ASA Web Services DoS Bug (06/28/2018)
A bug in Cisco's Adaptive Security Appliance Web Services that was patched on June 6 is being publicly exploited, the vendor said in an advisory. This vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense Software.
A bug in Cisco's Adaptive Security Appliance Web Services that was patched on June 6 is being publicly exploited, the vendor said in an advisory. This vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense Software.
Delta Electronics Combats Industrial Vulnerability with New Version of COMMGR (06/26/2018)
A stack-based overflow bug affects Delta Electronics' Industrial Automation COMMGR, version 1.08 and prior. A new version has been issued to alleviate risks, but Delta Electronics also recommends users apply application whitelists to allow only trusted communications via Ports 502 and 10002. Further information is available from the advisory posted by the ICS-CERT.
A stack-based overflow bug affects Delta Electronics' Industrial Automation COMMGR, version 1.08 and prior. A new version has been issued to alleviate risks, but Delta Electronics also recommends users apply application whitelists to allow only trusted communications via Ports 502 and 10002. Further information is available from the advisory posted by the ICS-CERT.
Firmware Update Alleviates Bug in llen-Bradley CompactLogix and Compact GuardLogix (06/27/2018)
An ICS-CERT advisory recommends that users of Rockwell Automation's Allen-Bradley CompactLogix and Compact GuardLogix apply updated firmware versions to avoid an improper input validation issue. If affected by this vulnerability, a denial-of-service condition could occur.
An ICS-CERT advisory recommends that users of Rockwell Automation's Allen-Bradley CompactLogix and Compact GuardLogix apply updated firmware versions to avoid an improper input validation issue. If affected by this vulnerability, a denial-of-service condition could occur.
IRS Quickly Moved Taxpayer Data for Protective Purposes, But Left It Exposed (06/27/2018)
A report from the Inspector General of the Treasury Department found that security mechanisms necessary to protect taxpayer data from cyber attackers were lacking in the agency's Cybersecurity Data Warehouse (CSDW), which was developed to collect and store security logs from dedicated devices used to protect the Internal Revenue Service (IRS) network. A 2016 data breach involving the Get Transcript app affected the tax account information for over 623,000 taxpayers. Following that incident, the IRS transferred taxpayer personally identifiable (PII) information to the CSDW. However, the IRS did not follow established security control processes, and in 2018, some of those controls remain weak, the report found. Because the taxpayer PII was transferred in haste to the CSDW in 2016, the main official in charge of the IRS' technology systems was unaware of it. That official only learned about the transfer from auditors.
A report from the Inspector General of the Treasury Department found that security mechanisms necessary to protect taxpayer data from cyber attackers were lacking in the agency's Cybersecurity Data Warehouse (CSDW), which was developed to collect and store security logs from dedicated devices used to protect the Internal Revenue Service (IRS) network. A 2016 data breach involving the Get Transcript app affected the tax account information for over 623,000 taxpayers. Following that incident, the IRS transferred taxpayer personally identifiable (PII) information to the CSDW. However, the IRS did not follow established security control processes, and in 2018, some of those controls remain weak, the report found. Because the taxpayer PII was transferred in haste to the CSDW in 2016, the main official in charge of the IRS' technology systems was unaware of it. That official only learned about the transfer from auditors.
Mozilla Releases Firefox 61 and New Versions of Firefox ESR (06/27/2018)
Mozilla has released Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61.
Mozilla has released Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61.
Siemens Advises on Access Control Bug in Multiple Products (06/27/2018)
A Siemens advisory offers information regarding an access control vulnerability in IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products. Updates have been issued for several of these products. Further updates are being prepared.
A Siemens advisory offers information regarding an access control vulnerability in IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products. Updates have been issued for several of these products. Further updates are being prepared.
Unpatched WordPress Bug Enables a Complete Site Takeover (06/28/2018)
An unpatched vulnerability in WordPress can result in the release of arbitrary code, researchers at RIPS Technologies say. An authenticated arbitrary file deletion vulnerability exists in the WordPress core and affects all versions, including the latest one: 4.9.6. This vulnerability allows any user with the privileges of "Author" to completely take over the WordPress site and execute arbitrary code on the server. Although the research team notified WordPress of the bug in November 2017, a fix has yet to be released.
An unpatched vulnerability in WordPress can result in the release of arbitrary code, researchers at RIPS Technologies say. An authenticated arbitrary file deletion vulnerability exists in the WordPress core and affects all versions, including the latest one: 4.9.6. This vulnerability allows any user with the privileges of "Author" to completely take over the WordPress site and execute arbitrary code on the server. Although the research team notified WordPress of the bug in November 2017, a fix has yet to be released.
Update to WebAssembly Could Render Spectre, Meltdown Patches Useless (06/28/2018)
Forcepoint has discovered that a future update of WebAssembly (also known as Wasm), which is a method to distribute code executed in a browser, may actually circumvent the patches that were issued to deflect the zero-day Spectre and Meltdown side-channel vulnerabilities. A Wasm feature that has not yet been released is threading in shared memory, which improves speed and alleviates redundancy in coding. However, Forcepoint has warned that, "...once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate timers can be created. That may render browser mitigations of certain CPU side channel attacks non-working."
Forcepoint has discovered that a future update of WebAssembly (also known as Wasm), which is a method to distribute code executed in a browser, may actually circumvent the patches that were issued to deflect the zero-day Spectre and Meltdown side-channel vulnerabilities. A Wasm feature that has not yet been released is threading in shared memory, which improves speed and alleviates redundancy in coding. However, Forcepoint has warned that, "...once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate timers can be created. That may render browser mitigations of certain CPU side channel attacks non-working."
Weak Credentials, Other Security Issues Leave Ships Open to Hacks (06/28/2018)
The security team at Pen Test Partners has discovered that maritime vessels can be hacked to control navigation, engines, and other systems. The researchers found that an attack can occur through the "bridging point" devices which connect the IP network and the serial network. There are multiple bridging points on a ship, including its Electronic Chart Display and Information System, Voyage Data Recorder, synthetic radar, and occasionally, the Automatic Tracking System transponder. To implement their proof-of-concept, the researchers used serial-to-IP converters because they tend not to be updated and use default credentials, which are published by the manufacturers on their Web sites.
The security team at Pen Test Partners has discovered that maritime vessels can be hacked to control navigation, engines, and other systems. The researchers found that an attack can occur through the "bridging point" devices which connect the IP network and the serial network. There are multiple bridging points on a ship, including its Electronic Chart Display and Information System, Voyage Data Recorder, synthetic radar, and occasionally, the Automatic Tracking System transponder. To implement their proof-of-concept, the researchers used serial-to-IP converters because they tend not to be updated and use default credentials, which are published by the manufacturers on their Web sites.
Windows Embedded Machines Vulnerable to NSA's DoublePulsar Exploit (06/28/2018)
A researcher who goes by the name "Capt. Meelo" has discovered that Windows Embedded devices are now vulnerable to the National Security Agency (NSA) exploit known as DoublePulsar. This backdoor exploit was stolen from the NSA and leaked in 2017. DoublePulsar, which Microsoft patched in March 2017, was able to run on different Windows releases, but none that utilized the Windows Embedded operating system. However, Capt. Meelo found through his own analysis that Windows Embedded systems are vulnerable to DoublePulsar via the EternalBlue bug, another NSA exploit.
A researcher who goes by the name "Capt. Meelo" has discovered that Windows Embedded devices are now vulnerable to the National Security Agency (NSA) exploit known as DoublePulsar. This backdoor exploit was stolen from the NSA and leaked in 2017. DoublePulsar, which Microsoft patched in March 2017, was able to run on different Windows releases, but none that utilized the Windows Embedded operating system. However, Capt. Meelo found through his own analysis that Windows Embedded systems are vulnerable to DoublePulsar via the EternalBlue bug, another NSA exploit.