Security Flaws & Fixes - W/E - 11/2/18
Apache Updates Tomcat JK Connectors (11/01/2018)
Apache has issued an update for Tomcat JK Connectors due to a path traversal vulnerability. Users are instructed to upgrade to Apache Tomcat JK ISAPI Connector 1.2.46 or later.
Apache has issued an update for Tomcat JK Connectors due to a path traversal vulnerability. Users are instructed to upgrade to Apache Tomcat JK ISAPI Connector 1.2.46 or later.
Apple Refreshes Multiple Products (11/01/2018)
Apple has released updates for Safari, iCloud for Windows, iTunes, watchOS, iOS, tvOS, and macOS High Sierra, macOS Sierra, and MacOS Mojave. Users should immediately update their products.
Apple has released updates for Safari, iCloud for Windows, iTunes, watchOS, iOS, tvOS, and macOS High Sierra, macOS Sierra, and MacOS Mojave. Users should immediately update their products.
Cisco Advises on Vulnerabilities in Multiple Products (10/30/2018)
Cisco released multiple advisories on October 29, including a critical bulletin that details a vulnerability in the Prime File Upload servlet affecting multiple Cisco products. This bug could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device and execute those files.
Cisco released multiple advisories on October 29, including a critical bulletin that details a vulnerability in the Prime File Upload servlet affecting multiple Cisco products. This bug could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device and execute those files.
FDIC's Security Practices Need Strengthening to Protect Data (11/01/2018)
An audit conducted by the inspector general (IG) for the Federal Deposit Insurance Corporation (FDIC) has found security control weaknesses that have limited the effectiveness of the agency's information security program and some practices could leave data and the systems themselves at risk. A portion of the classified report has been made available and the IG said that while the FDIC has established some security controls and practices, it hasn't implemented software patches within its own defined timeframes. The report also identified instances in which contractor-performed security control assessments did not include testing of security control implementation, when warranted.
An audit conducted by the inspector general (IG) for the Federal Deposit Insurance Corporation (FDIC) has found security control weaknesses that have limited the effectiveness of the agency's information security program and some practices could leave data and the systems themselves at risk. A portion of the classified report has been made available and the IG said that while the FDIC has established some security controls and practices, it hasn't implemented software patches within its own defined timeframes. The report also identified instances in which contractor-performed security control assessments did not include testing of security control implementation, when warranted.
Hacker Finds Passcode Bypass Vulnerability in New iOS Version (11/01/2018)
Just hours after Apple released iOS 12.1, a hacker uncovered a passcode bypass bug that could enable anyone to see private information on an iPhone, The Hacker News reported. Jose Rodriguez uncovered the bug in the latest iOS version, which he demonstrates in a video. The bug is found in a new feature, Group FaceTime and works without having Siri or the VoiceOver screen reader enabled.
Just hours after Apple released iOS 12.1, a hacker uncovered a passcode bypass bug that could enable anyone to see private information on an iPhone, The Hacker News reported. Jose Rodriguez uncovered the bug in the latest iOS version, which he demonstrates in a video. The bug is found in a new feature, Group FaceTime and works without having Siri or the VoiceOver screen reader enabled.
Mozilla Gives Thunderbird ESR a Security Update (11/01/2018)
Mozilla pushed out an update for Thunderbird ESR to mitigate security issues. The current version is 60.3.
Mozilla pushed out an update for Thunderbird ESR to mitigate security issues. The current version is 60.3.
No Fix Yet for Zero-Day Bug in Cisco Security Appliances (11/01/2018)
A vulnerability in the Session Initiation Protocol inspection engine of Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial-of-service condition. Software updates are not yet available and Cisco said that there are no workarounds that address this vulnerability. However, an advisory offers mitigations.
A vulnerability in the Session Initiation Protocol inspection engine of Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial-of-service condition. Software updates are not yet available and Cisco said that there are no workarounds that address this vulnerability. However, an advisory offers mitigations.
Popular POS Terminals Found Vulnerable to Cyber Attacks (11/01/2018)
Researchers at Positive Technologies have identified vulnerabilities in mobile point of sale terminals which could result in attacks. SumUp, iZettle, PayPal, and Square were the vendors analyzed and all were found to be vulnerable in some way. Multiple attack methods were discovered and in some cases, the payment terminal can be manipulated. Researcher Leigh-Anne Galloway published further details about the study in a blog post.
Researchers at Positive Technologies have identified vulnerabilities in mobile point of sale terminals which could result in attacks. SumUp, iZettle, PayPal, and Square were the vendors analyzed and all were found to be vulnerable in some way. Multiple attack methods were discovered and in some cases, the payment terminal can be manipulated. Researcher Leigh-Anne Galloway published further details about the study in a blog post.
Report Finds Highly Exposed Water and Energy Infrastructures (10/30/2018)
A new Trend Micro report discusses the cybersecurity challenges faced by the energy and water sectors and the vulnerabilities found in many human machine interfaces (HMIs). The vendor uncovered details regarding exposed HMIs in the water sector around the globe, which included monitoring and control interfaces from different water-related systems. Oil and gas, biogas, and power systems also showed vulnerabilities, with most exposed HMIs located in the US.
A new Trend Micro report discusses the cybersecurity challenges faced by the energy and water sectors and the vulnerabilities found in many human machine interfaces (HMIs). The vendor uncovered details regarding exposed HMIs in the water sector around the globe, which included monitoring and control interfaces from different water-related systems. Oil and gas, biogas, and power systems also showed vulnerabilities, with most exposed HMIs located in the US.
Researchers Discover JavaScript Code Execution Bug in Office (10/30/2018)
Researchers at Cymulate uncovered a security flaw in Microsoft Office Suite which may affect Word users. The security flaw was identified as a JavaScript code execution within the office-embedded video component. It has the potential to impact all users with Office 2016 and older versions of Productivity Suite. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening this document with Word.
Researchers at Cymulate uncovered a security flaw in Microsoft Office Suite which may affect Word users. The security flaw was identified as a JavaScript code execution within the office-embedded video component. It has the potential to impact all users with Office 2016 and older versions of Productivity Suite. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening this document with Word.
Security Bugs in Advantech WebAccess Have Been Patched (10/29/2018)
Two vulnerabilities in Advantech WebAccess have been mitigated in version 8.33. If exploited, the two bugs could have resulted in an arbitrary remote code execution. The ICS-CERT has posted an advisory.
Two vulnerabilities in Advantech WebAccess have been mitigated in version 8.33. If exploited, the two bugs could have resulted in an arbitrary remote code execution. The ICS-CERT has posted an advisory.
UNIX Systems Vulnerable to X.Org Flaw (10/29/2018)
Incorrect command-line parameter validation in the X.Org X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges, according to an advisory. A patch was released to alleviate risks. X.Org is an open-source implementation of the X Windows System and is used by BSD and Linux operating systems.
Incorrect command-line parameter validation in the X.Org X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges, according to an advisory. A patch was released to alleviate risks. X.Org is an open-source implementation of the X Windows System and is used by BSD and Linux operating systems.
Updated Version of GEOVAP Reliance 4 SCADA/HMI Fixes XSS Bug (10/29/2018)
A cross-site scripting vulnerability in GEOVAP's Reliance 4 SCADA/HMI could allow an unauthenticated attacker to use HTTP proxy to inject arbitrary JavaScript in a specially crafted HTTP request that may reflect it back in the HTTP response. According to an ICS-CERT advisory, Reliance SCADA Version 4.7.3 Update 3 and prior are vulnerable. GEOVAP released Version 4.8.0, which mitigates the vulnerability.
A cross-site scripting vulnerability in GEOVAP's Reliance 4 SCADA/HMI could allow an unauthenticated attacker to use HTTP proxy to inject arbitrary JavaScript in a specially crafted HTTP request that may reflect it back in the HTTP response. According to an ICS-CERT advisory, Reliance SCADA Version 4.7.3 Update 3 and prior are vulnerable. GEOVAP released Version 4.8.0, which mitigates the vulnerability.
Updates Available for Flaw in PEPPERL+FUCHS CT50-Ex (11/01/2018)
An improper privilege management vulnerability in PEPPERL+FUCHS CT50-Ex could allow a malicious third-party application to gain elevated privileges and obtain access to sensitive information. All users of the affected products should update products as follows: if using Android v6.0, update to CommonES 4.01.00.4134 or later. Update ECP to Version 2.30.00.0167 or later (if applicable). If using Android 4.4, update to CommonES 3.17.3445 or later. An ICS-CERT advisory details this vulnerability further.
An improper privilege management vulnerability in PEPPERL+FUCHS CT50-Ex could allow a malicious third-party application to gain elevated privileges and obtain access to sensitive information. All users of the affected products should update products as follows: if using Android v6.0, update to CommonES 4.01.00.4134 or later. Update ECP to Version 2.30.00.0167 or later (if applicable). If using Android 4.4, update to CommonES 3.17.3445 or later. An ICS-CERT advisory details this vulnerability further.
Yi Technology Home Camera Contains Multiple Security Issues (11/01/2018)
Cisco's Talos team has disclosed details about multiple vulnerabilities in the firmware of the Yi Technology Home Camera. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device. The Yi Home Camera is an Internet of Things home camera sold globally. Yi Technology was notified and has since released a new version of the firmware.
Cisco's Talos team has disclosed details about multiple vulnerabilities in the firmware of the Yi Technology Home Camera. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device. The Yi Home Camera is an Internet of Things home camera sold globally. Yi Technology was notified and has since released a new version of the firmware.