Security Flaws & Fixes - W/E - 12/21/18
3S-Smart's CODESYS Products Have Critical Vulnerabilities (12/18/2018)
Two advisories for 3-S Smart Software products have been posted to the ICS-CERT Web site. Mitigation recommendations regarding an improper access control vulnerability identified in the 3S-Smart Software's CODESYS Control V3 products are addressed in the first advisory. Mitigations are also available in the second advisory, which discusses insufficiently random values and improper restriction of communication channel to intended endpoints vulnerabilities identified in the 3S-Smart Software's CODESYS V3 products.
Two advisories for 3-S Smart Software products have been posted to the ICS-CERT Web site. Mitigation recommendations regarding an improper access control vulnerability identified in the 3S-Smart Software's CODESYS Control V3 products are addressed in the first advisory. Mitigations are also available in the second advisory, which discusses insufficiently random values and improper restriction of communication channel to intended endpoints vulnerabilities identified in the 3S-Smart Software's CODESYS V3 products.
Advantech Updates WebAccess/SCADA to Mitigate Stack Buffer Overflow (12/18/2018)
A bug in Advantech's WebAccess/SCADA platform could result in a stack buffer overflow condition, which has been discussed in an advisory from the ICS-CERT. Advantech has released Version 8.3.4 of WebAccess/SCADA to address this issue.
A bug in Advantech's WebAccess/SCADA platform could result in a stack buffer overflow condition, which has been discussed in an advisory from the ICS-CERT. Advantech has released Version 8.3.4 of WebAccess/SCADA to address this issue.
Cisco Pushes Out Fix for Software Privilege Escalation Bug in ASA Software (12/19/2018)
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the Web management interface. The vulnerability is due to improper validation of user privileges when using the Web management interface. Cisco has released software updates that address this vulnerability.
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the Web management interface. The vulnerability is due to improper validation of user privileges when using the Web management interface. Cisco has released software updates that address this vulnerability.
Cyber Failures at Defense Department Could Put Missile Defense Systems at Risk (12/17/2018)
An audit conducted by the Department of Defense (DOD) Inspector General has identified weaknesses in the security controls and processes at DOD facilities that protect ballistic missile defense system (BDMS) technical information on classified networks from insider and external cyber threats. The audit only assessed classified networks because they processed, stored, and transmitted both classified and unclassified BMDS technical information and determined that officials did not consistently implement security controls and processes. Among the issues noted were the lack of both multifactor authentication to access BMDS information and the encryption of BMDS technical information transmission.
An audit conducted by the Department of Defense (DOD) Inspector General has identified weaknesses in the security controls and processes at DOD facilities that protect ballistic missile defense system (BDMS) technical information on classified networks from insider and external cyber threats. The audit only assessed classified networks because they processed, stored, and transmitted both classified and unclassified BMDS technical information and determined that officials did not consistently implement security controls and processes. Among the issues noted were the lack of both multifactor authentication to access BMDS information and the encryption of BMDS technical information transmission.
Facebook Photo API Bug Compromised 6.8 Million Accounts (12/17/2018)
Facebook admitted that a photo API bug may have breached 6.8 million users between September 13 and 25. The vulnerability affected people who used Facebook Login and granted permission to third-party apps to access their photos. It has since been fixed.
Facebook admitted that a photo API bug may have breached 6.8 million users between September 13 and 25. The vulnerability affected people who used Facebook Login and granted permission to third-party apps to access their photos. It has since been fixed.
Federal Agencies Must Bolster Their Information Systems from Cyber Intrusions (12/18/2018)
A watchdog report has found that many US government agencies haven't taken the necessary steps to secure information systems despite being aware of a federal government strategy. Of the 23 agencies that reported findings to the Government Accountability Office (GAO), 17 of those agencies' Inspector Generals said that security programs were not effectively implemented. Additionally, internal controls for financial reporting had material weaknesses or significant deficiencies at 17 of the 23 agencies. The GAO has made recommendations that could improve these deficiencies and security issues.
A watchdog report has found that many US government agencies haven't taken the necessary steps to secure information systems despite being aware of a federal government strategy. Of the 23 agencies that reported findings to the Government Accountability Office (GAO), 17 of those agencies' Inspector Generals said that security programs were not effectively implemented. Additionally, internal controls for financial reporting had material weaknesses or significant deficiencies at 17 of the 23 agencies. The GAO has made recommendations that could improve these deficiencies and security issues.
Free VPN Service Has Flaws and Could Result in Dangerous Activity (12/18/2018)
Major flaws have been spotted in HolaVPN, a free, community VPN that enables users to share Internet connections with others worldwide, and Trend Micro released details regarding these issues. The study revealed that more than 85% of the traffic that was assessed was directed to mobile advertisements and other mobile-related domains and programs, an indication that cybercriminals could use the service for large-scale click fraud schemes.
Major flaws have been spotted in HolaVPN, a free, community VPN that enables users to share Internet connections with others worldwide, and Trend Micro released details regarding these issues. The study revealed that more than 85% of the traffic that was assessed was directed to mobile advertisements and other mobile-related domains and programs, an indication that cybercriminals could use the service for large-scale click fraud schemes.
GE Advises on Security Issue in Mark VIe, EX2100e, EX2100e_Reg, and LS2100e (12/17/2018)
GE's Mark VIe, EX2100e, EX2100e_Reg, and LS2100e can be exploited due to a path traversal vulnerability. An advisory posted to the ICS-CERT Web site states that GE recommends users upgrade to the current version of ControlST software as described in CSB25378, which is available to registered users via the GE Power ServiceNow portal. In applications where the controller-hosted Web server is not required, GE recommends turning off the Web server. For all other applications, GE recommends updating the controller to the latest firmware version available in the current ControlST release.
GE's Mark VIe, EX2100e, EX2100e_Reg, and LS2100e can be exploited due to a path traversal vulnerability. An advisory posted to the ICS-CERT Web site states that GE recommends users upgrade to the current version of ControlST software as described in CSB25378, which is available to registered users via the GE Power ServiceNow portal. In applications where the controller-hosted Web server is not required, GE recommends turning off the Web server. For all other applications, GE recommends updating the controller to the latest firmware version available in the current ControlST release.
Latest Version of WordPress Has Been Made Public (12/17/2018)
The latest version of WordPress, 5.0.1, has been made available. This is a security release for all versions since WordPress 3.7 and fixes various bugs.
The latest version of WordPress, 5.0.1, has been made available. This is a security release for all versions since WordPress 3.7 and fixes various bugs.
Logitech Gets Called Out on Options Flaw and Releases Immediate Fix (12/18/2018)
Project Zero security researcher Tavis Ormandy identified a keystroke injection bug in Logitech's Options applications for Windows and publicly released details after the vendor failed to provide a fix by December 11 - within 90 days of notification. Logitech issued an update on December 13. Version 7.00.564 (7.00.554 for Mac) fixes this issue.
Project Zero security researcher Tavis Ormandy identified a keystroke injection bug in Logitech's Options applications for Windows and publicly released details after the vendor failed to provide a fix by December 11 - within 90 days of notification. Logitech issued an update on December 13. Version 7.00.564 (7.00.554 for Mac) fixes this issue.
Microsoft Pushes Out Emergency IE Fix Amid Reports of Attacks (12/19/2018)
Microsoft issued an out-of-band security update for Internet Explorer after receiving a notification from Google that the exploit was being used in targeted attacks. The update resolves a remote code execution issue that exists in the way that the scripting engine handles objects in memory in Internet Explorer.
Microsoft issued an out-of-band security update for Internet Explorer after receiving a notification from Google that the exploit was being used in targeted attacks. The update resolves a remote code execution issue that exists in the way that the scripting engine handles objects in memory in Internet Explorer.
Multiple Vulnerabilities Discovered in ABB Product Lines (12/18/2018)
Several ICS-CERT advisories pertain to ABB product vulnerabilities. An improper authentication vulnerability exists in the ABB M2M Ethernet software. A second advisory discusses the same type of vulnerability in the ABB CMS-770 software. Finally, mitigation recommendations have been posted in a third advisory to address missing authentication for critical function and cross-site scripting vulnerabilities in ABB's GATE-E2 Ethernet devices.
Several ICS-CERT advisories pertain to ABB product vulnerabilities. An improper authentication vulnerability exists in the ABB M2M Ethernet software. A second advisory discusses the same type of vulnerability in the ABB CMS-770 software. Finally, mitigation recommendations have been posted in a third advisory to address missing authentication for critical function and cross-site scripting vulnerabilities in ABB's GATE-E2 Ethernet devices.
OS Command Injection Bug Detected in Geutebrck E2 Camera Series (12/17/2018)
Geutebrück's E2 Camera Series is vulnerable to an operating system command injection. E2 series cameras running firmware versions prior to 1.12.0.25 are affected and firmware version 1.12.0.25 fixes this issue. Further details are available from an ICS-CERT advisory.
Geutebrück's E2 Camera Series is vulnerable to an operating system command injection. E2 series cameras running firmware versions prior to 1.12.0.25 are affected and firmware version 1.12.0.25 fixes this issue. Further details are available from an ICS-CERT advisory.
Researchers Find Computer Chip Bugs that Could Result in Electronics Malfunctions (12/17/2018)
A Washington State University research team has uncovered significant and previously unknown vulnerabilities in high-performance computer chips that could lead to failures in modern electronics. The researchers found they could damage the on-chip communications system and shorten the lifetime of the whole computer chip significantly by deliberately adding malicious workloads. The team is working to understand the vulnerabilities of computer chips as a way to prevent malicious attacks on electronics.
A Washington State University research team has uncovered significant and previously unknown vulnerabilities in high-performance computer chips that could lead to failures in modern electronics. The researchers found they could damage the on-chip communications system and shorten the lifetime of the whole computer chip significantly by deliberately adding malicious workloads. The team is working to understand the vulnerabilities of computer chips as a way to prevent malicious attacks on electronics.
Sensitive Data Leaks Possible with Medtronic Programmers (12/17/2018)
A medical device advisory warns that encryption is missing for Medtronics' 9790 CareLink Programmer, 2090 CareLink Programmer, and 29901 Encore Programmer and sensitive data could be accessed. The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. The CareLink 2090 and 29901 Encore programmers store protected health information (PHI) or personally identifiable information (PII) as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy.
A medical device advisory warns that encryption is missing for Medtronics' 9790 CareLink Programmer, 2090 CareLink Programmer, and 29901 Encore Programmer and sensitive data could be accessed. The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. The CareLink 2090 and 29901 Encore programmers store protected health information (PHI) or personally identifiable information (PII) as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy.
Siemens Fixes Missing Authentication Issue in TIM 1531 IRC (12/17/2018)
Siemens' TIM 1531 IRC modules are affected by a missing authentication bug that the vendor fixed on December 17. Further information is available from an advisory.
Siemens' TIM 1531 IRC modules are affected by a missing authentication bug that the vendor fixed on December 17. Further information is available from an advisory.
Twitter Flaw May Have Been Exploited by State-Sponsored Hackers (12/18/2018)
A bug in a Twitter support forum application program interface (API) may have been abused by cyber spies, the social media company said in a statement. The flaw enabled thieves to find the country code of account holder phone numbers if they had one associated with their Twitter account. The company said, "During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors." The bug was discovered on November 15 and a patch was issued the following day.
A bug in a Twitter support forum application program interface (API) may have been abused by cyber spies, the social media company said in a statement. The flaw enabled thieves to find the country code of account holder phone numbers if they had one associated with their Twitter account. The company said, "During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors." The bug was discovered on November 15 and a patch was issued the following day.
Upgrade Recommended for Schneider Electric GUIcon Eurotherm (12/17/2018)
Eurotherm by Schneider Electric GUIcon Version 2.0 (Gold Build 683.0) is prone to stack-based overflow and type confusion vulnerabilities, according to an ICS-CERT advisory. Users are instructed to upgrade to GUIcon Version 2.0 Software Package (Gold Build 683.003), which includes fixes for these vulnerabilities.
Eurotherm by Schneider Electric GUIcon Version 2.0 (Gold Build 683.0) is prone to stack-based overflow and type confusion vulnerabilities, according to an ICS-CERT advisory. Users are instructed to upgrade to GUIcon Version 2.0 Software Package (Gold Build 683.003), which includes fixes for these vulnerabilities.
XSS Bug Found in Pixar's Tractor Network Rendering Software (12/17/2018)
An advisory from the CERT Coordination Center at the Software Engineering Institute (SEI) reveals that Pixar's Tractor network rendering software is vulnerable to stored cross-site scripting which may allow an attacker to execute arbitrary JavaScript. Versions 2.2 and earlier are affected. Pixar has released an updated version of this software that mitigates this vulnerability, Tractor version 2.3 (build 1923604).
An advisory from the CERT Coordination Center at the Software Engineering Institute (SEI) reveals that Pixar's Tractor network rendering software is vulnerable to stored cross-site scripting which may allow an attacker to execute arbitrary JavaScript. Versions 2.2 and earlier are affected. Pixar has released an updated version of this software that mitigates this vulnerability, Tractor version 2.3 (build 1923604).