Security Flaws & Fixes - W/E - 090718
Android Blasts Sensitive Info Via WiFi Broadcasts (09/04/2018)
Scientists at Nightwatch Cybersecurity has discovered that system broadcasts by Android expose information about the user's device to all applications running on the device, including the WiFi network name, local IP addresses, DNS server information, and the MAC address. By listening to these broadcasts, any application on the device can capture this information to bypass permission checks and existing mitigations. All versions of Android running on all devices are believed to be affected including forks (which powers Amazon's FireOS). Google fixed the issue in Android 9 but has no plans to patch earlier versions.
Scientists at Nightwatch Cybersecurity has discovered that system broadcasts by Android expose information about the user's device to all applications running on the device, including the WiFi network name, local IP addresses, DNS server information, and the MAC address. By listening to these broadcasts, any application on the device can capture this information to bypass permission checks and existing mitigations. All versions of Android running on all devices are believed to be affected including forks (which powers Amazon's FireOS). Google fixed the issue in Android 9 but has no plans to patch earlier versions.
Cisco Advises on Vulnerabilities Found in Its Products (09/06/2018)
Cisco released a number of advisories to address vulnerabilities across its product lines. Among the most critical issues are a buffer overflow bug in the vendor's RV110W, RV130W, and RV215W Routers Management Interface and an unauthorized access issue in Umbrella products.
Cisco released a number of advisories to address vulnerabilities across its product lines. Among the most critical issues are a buffer overflow bug in the vendor's RV110W, RV130W, and RV215W Routers Management Interface and an unauthorized access issue in Umbrella products.
Mozilla Pushes Out Updates for Firefox and Firefox ESR (09/06/2018)
Mozilla has issued updates for Firefox and Firefox ESR. These updates address serious security issues and users are instructed to download them for risk mitigation.
Mozilla has issued updates for Firefox and Firefox ESR. These updates address serious security issues and users are instructed to download them for risk mitigation.
Multiple Issues Fixed in Latest Version of Opsview Monitor (09/06/2018)
Core Security posted an advisory for Opsview Monitor due to multiple vulnerabilities. These issues could result in, among other things, remote code execution and cross-site scripting. Opsview was notified in May about these vulnerabilities and released updates in August. Opsview Monitor is used by DevsOps personnel to "deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid," according to the vendor.
Core Security posted an advisory for Opsview Monitor due to multiple vulnerabilities. These issues could result in, among other things, remote code execution and cross-site scripting. Opsview was notified in May about these vulnerabilities and released updates in August. Opsview Monitor is used by DevsOps personnel to "deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid," according to the vendor.
Open-Source Web Interface OctoPrint Exposes Thousands of 3D Printers (09/04/2018)
Nearly 4,000 instances of OctoPrint, an open-source 3D printer Web interface, are accessible online, leaving printers exposed to cyber attackers. Researchers at the SANS Internet Storm Center reviewed results from Shodan and learned that thousands of OctoPrint interfaces are available online, including 1,585 in the US alone. The scientists warn that this issue is a security nightmare because OctoPrint allows for the download of 3D objects in G-code, which are unencrypted text files. If downloaded, G-code files can swipe data. Cybercriminals can also send malicious G-code files and instruct the exposed device to print them.
Nearly 4,000 instances of OctoPrint, an open-source 3D printer Web interface, are accessible online, leaving printers exposed to cyber attackers. Researchers at the SANS Internet Storm Center reviewed results from Shodan and learned that thousands of OctoPrint interfaces are available online, including 1,585 in the US alone. The scientists warn that this issue is a security nightmare because OctoPrint allows for the download of 3D objects in G-code, which are unencrypted text files. If downloaded, G-code files can swipe data. Cybercriminals can also send malicious G-code files and instruct the exposed device to print them.
Oracle: Some of Our Products Affected by Apache Struts 2 Zero-Day Bug (09/04/2018)
Oracle has warned that some of its products are vulnerable to the critical Apache Struts 2 vulnerability that is being exploited in the wild. However, the vendor has stated that not all of its products that incorporate Struts 2 are necessarily affected. Oracle recommends that customers frequently review the original advisory, which lists affected products and versions, and plan to apply the updates as soon as they are released.
Oracle has warned that some of its products are vulnerable to the critical Apache Struts 2 vulnerability that is being exploited in the wild. However, the vendor has stated that not all of its products that incorporate Struts 2 are necessarily affected. Oracle recommends that customers frequently review the original advisory, which lists affected products and versions, and plan to apply the updates as soon as they are released.
Philips e-Alert Unit Found to Have Multiple Security Issues (09/04/2018)
An ICS-CERT advisory gives details regarding multiple advisories identified in the Philips e-Alert Unit, which is a non-medical device. Version R2.1 and prior are vulnerable. It is recommended that users review materials on Philips' Web site for mitigation and update information.
An ICS-CERT advisory gives details regarding multiple advisories identified in the Philips e-Alert Unit, which is a non-medical device. Version R2.1 and prior are vulnerable. It is recommended that users review materials on Philips' Web site for mitigation and update information.
RCE Bug in PHP Package Server Receives Patch (09/04/2018)
Security researcher Max Justicz found a remote code execution vulnerability on packagist.org, the default package server behind Composer, a PHP package manager. Packagist serves about 400 million package downloads each month. The vulnerability was reported and has since been alleviated.
Security researcher Max Justicz found a remote code execution vulnerability on packagist.org, the default package server behind Composer, a PHP package manager. Packagist serves about 400 million package downloads each month. The vulnerability was reported and has since been alleviated.
Routers' Automatic DNS Registration and Autodiscovery Cause Security Risks (09/05/2018)
an advisory from US-CERT details an issue in which routers auto-registering names on LANs can result in the loss of confidentiality and integrity of any network activity by providing for the opportunity to view network packets. If an attacker with access to the network adds a malicious device to the network with the name 'WPAD', such an attacker may be able to utilize DNS autoregistration and autodiscovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of any network activity. Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to autoconfiguration. Furthermore autodiscovery features should not accept mDNS based names as authoritative sources.
an advisory from US-CERT details an issue in which routers auto-registering names on LANs can result in the loss of confidentiality and integrity of any network activity by providing for the opportunity to view network packets. If an attacker with access to the network adds a malicious device to the network with the name 'WPAD', such an attacker may be able to utilize DNS autoregistration and autodiscovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of any network activity. Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to autoconfiguration. Furthermore autodiscovery features should not accept mDNS based names as authoritative sources.
Third-Party Company Issues "Micropatch" for Microsoft Zero-Day Flaw (09/04/2018)
A local privilege escalation vulnerability has been fixed in Windows Task Scheduler but it wasn't Microsoft that patched it. The security team at 0patch, which issues small fixes for vulnerabilities or "micropatches," delivered a 13 KB patch. It is expected that Microsoft will issue its own fix in its September batch of security patches.
A local privilege escalation vulnerability has been fixed in Windows Task Scheduler but it wasn't Microsoft that patched it. The security team at 0patch, which issues small fixes for vulnerabilities or "micropatches," delivered a 13 KB patch. It is expected that Microsoft will issue its own fix in its September batch of security patches.
Upgrades Mitigate Security Bug in Opto22 PAC Control Basic and PAC Control Professional (09/05/2018)
A stack-based overflow vulnerability could cause a crash and then result in a buffer overflow condition in Opto22's PAC Control Basic and PAC Control Professional. Users have been instructed to upgrade to the latest version. The ICS-CERT has also posted its own advisory.
A stack-based overflow vulnerability could cause a crash and then result in a buffer overflow condition in Opto22's PAC Control Basic and PAC Control Professional. Users have been instructed to upgrade to the latest version. The ICS-CERT has also posted its own advisory.