Security Flaws & Fixes - W/E - 1/18/19
Bugs in Building Access System Could Lead to Creation of Fake Badges (01/14/2019)
Scientists at Tenable Research have identified several zero-day vulnerabilities in the PremiSys access control system from IDenticard that can be used by fraudsters to create fake badges, alter user data, and disable building locks. Once exploited, the most severe flaw would give cybercriminals administrator access to the entire badge system database via the PremiSys Windows Communication Foundation service endpoint. Using the administrator privileges, attackers can perform a variety of actions like downloading the full contents of the system database, modifying its contents, or deleting users. Tenable made multiple attempts to contact IDenticard and following a 90-day period, it has released its findings publicly.
Scientists at Tenable Research have identified several zero-day vulnerabilities in the PremiSys access control system from IDenticard that can be used by fraudsters to create fake badges, alter user data, and disable building locks. Once exploited, the most severe flaw would give cybercriminals administrator access to the entire badge system database via the PremiSys Windows Communication Foundation service endpoint. Using the administrator privileges, attackers can perform a variety of actions like downloading the full contents of the system database, modifying its contents, or deleting users. Tenable made multiple attempts to contact IDenticard and following a 90-day period, it has released its findings publicly.
Drupal Posts Security Advisories (01/16/2019)
Drupal has issued advisories to mitigate vulnerabilities that affect its products. The first advisory pertains to a security update to the third-party PEAR Archive_Tar library which impacts some Drupal configurations. The second advisory addresses a remote code execution in PHP's built-in phar stream wrapper which can affect Drupal code.
Drupal has issued advisories to mitigate vulnerabilities that affect its products. The first advisory pertains to a security update to the third-party PEAR Archive_Tar library which impacts some Drupal configurations. The second advisory addresses a remote code execution in PHP's built-in phar stream wrapper which can affect Drupal code.
Emerson Issues DeltaV DCS Patches to Prevent DoS Condition (01/14/2019)
Emerson's DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6, and prior are vulnerable to an authentication bypass which could lead to a denial-of-service condition. Software patches are offered to users to alleviate this vulnerability. Further details have been posted to the ICS-CERT site.
Emerson's DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6, and prior are vulnerable to an authentication bypass which could lead to a denial-of-service condition. Software patches are offered to users to alleviate this vulnerability. Further details have been posted to the ICS-CERT site.
Flaw in Reservation System Leaves Airline Travelers Vulnerable (01/17/2019)
A vulnerability that affects multiple airlines could allow anyone to access and change private information on flight bookings. Researcher Noam Rotem and scientists at Safety Detective say that this issue affects 44% of international airlines. Rotem discovered the bug while booking a flight with Israeli carrier El Al. The vulnerability is in third-party Amadeus' online booking system and it involves altering a value in a link that the service sends to a customer. The bug can be abused to obtain passenger name records and other details. The Amadeus system serves over 200 airlines, including American, United, British Airways, and Lufthansa.
A vulnerability that affects multiple airlines could allow anyone to access and change private information on flight bookings. Researcher Noam Rotem and scientists at Safety Detective say that this issue affects 44% of international airlines. Rotem discovered the bug while booking a flight with Israeli carrier El Al. The vulnerability is in third-party Amadeus' online booking system and it involves altering a value in a link that the service sends to a customer. The bug can be abused to obtain passenger name records and other details. The Amadeus system serves over 200 airlines, including American, United, British Airways, and Lufthansa.
Intel Details Security Patches in Four Advisories (01/16/2019)
Intel patched vulnerabilities and issued four advisories with further details. Among these releases are fixes for several flaws in the vendor's SGX SDK and SGX Platform Software which could lead to escalation of privilege or information disclosure.
Intel patched vulnerabilities and issued four advisories with further details. Among these releases are fixes for several flaws in the vendor's SGX SDK and SGX Platform Software which could lead to escalation of privilege or information disclosure.
Microsoft Denies Fix for VCF File Vulnerability Affecting Windows (01/16/2019)
A serious flaw has been found within the way that Microsoft Windows processes VCard files which could result in the execution of arbitrary code. A VCF file is a standard file format for storing contact information for a person or business. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink and the user interface fails to provide any indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of the current user. Researcher John Page reported the bug to Microsoft, but the vendor said it won't be issuing any fixes.
A serious flaw has been found within the way that Microsoft Windows processes VCard files which could result in the execution of arbitrary code. A VCF file is a standard file format for storing contact information for a person or business. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink and the user interface fails to provide any indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of the current user. Researcher John Page reported the bug to Microsoft, but the vendor said it won't be issuing any fixes.
Mitigations Available to Deflect Bug in Pilz PNOZmulti Configurator (01/14/2019)
Pilz's PNOZmulti Configurator, a safety circuit configuration tool, has a vulnerability that can lead to the reading of sensitive data from the system. An ICS-CERT advisory states that the vulnerability directly impacts the PMI m107 diag HMI device. Mitigation techniques are provided in the advisory.
Pilz's PNOZmulti Configurator, a safety circuit configuration tool, has a vulnerability that can lead to the reading of sensitive data from the system. An ICS-CERT advisory states that the vulnerability directly impacts the PMI m107 diag HMI device. Mitigation techniques are provided in the advisory.
Oracle Boots Nearly 300 Vulnerabilities with January Security Release (01/15/2019)
The Oracle Critical Patch Update for January provides 284 security fixes across various product lines. Users of Oracle products are instructed to apply all available patches.
The Oracle Critical Patch Update for January provides 284 security fixes across various product lines. Users of Oracle products are instructed to apply all available patches.
Pentagon's IT Systems Plagued by Hundreds of Security Flaws (01/14/2019)
The Pentagon's networks are riddled with vulnerabilities that could result in payments being lost, stolen, or recreated, a Defense Department (DOD) inspector general audit has reported. Much of the agency's IT systems that are used to process contracts and submit payments are problematic and the systems could be abused by cyber thieves. In addition, there are over 300 separate vulnerabilities that were brought to light in prior years but remain unpatched. The audit also noted that there were "significant deficiencies" and "instances of non-compliance" with laws and regulations within the Defense Department.
The Pentagon's networks are riddled with vulnerabilities that could result in payments being lost, stolen, or recreated, a Defense Department (DOD) inspector general audit has reported. Much of the agency's IT systems that are used to process contracts and submit payments are problematic and the systems could be abused by cyber thieves. In addition, there are over 300 separate vulnerabilities that were brought to light in prior years but remain unpatched. The audit also noted that there were "significant deficiencies" and "instances of non-compliance" with laws and regulations within the Defense Department.
Popular Web Hosting Platforms Weakened by Account Takeover Flaws (01/15/2019)
Security researcher Paulos Yibelo found multiple account takeover and data leakage vulnerabilities on the Bluehost Web hosting platform. These bugs could enable attackers to steal personally identifiable information, partial payment card details, and tokens that access a user's hosted endpoints. In addition, Yibelo discovered weak password verification in changing account credentials. Yibelo has warned that similar flaws were found in other Web hosting platforms including Dreamhost, Host Gator, OVH, and iPage.
Security researcher Paulos Yibelo found multiple account takeover and data leakage vulnerabilities on the Bluehost Web hosting platform. These bugs could enable attackers to steal personally identifiable information, partial payment card details, and tokens that access a user's hosted endpoints. In addition, Yibelo discovered weak password verification in changing account credentials. Yibelo has warned that similar flaws were found in other Web hosting platforms including Dreamhost, Host Gator, OVH, and iPage.
Update for LAquis SCADA Alleviates Multiple Vulnerabilities (01/15/2019)
Numerous bugs have been uncovered in LCDS' LAquis SCADA, an industrial automation software. If exploited, a remote code execution could occur or the system could crash. LCDS recommends users update to Version 4.1.0.4150.
Numerous bugs have been uncovered in LCDS' LAquis SCADA, an industrial automation software. If exploited, a remote code execution could occur or the system could crash. LCDS recommends users update to Version 4.1.0.4150.
Update Released to Fix Bug in Omron's CX-One CX-Protocol (01/14/2019)
A type confusion vulnerability in Omron's CX-One CX-Protocol could allow an attacker to execute code under the privileges of the application, an ICS-CERT advisory has revealed. An updated version of CX-One addresses this issue.
A type confusion vulnerability in Omron's CX-One CX-Protocol could allow an attacker to execute code under the privileges of the application, an ICS-CERT advisory has revealed. An updated version of CX-One addresses this issue.
Vulnerabilities in SCP Could Launch Malware, Swipe Critical Information (01/15/2019)
F-Secure researcher Harry Sintonen identified vulnerabilities in different secure copy protocol (SCP) clients that can be used to install a backdoor or other malware in a company network, steal confidential information, or commit other dangerous activities. The vulnerabilities were uncovered in WinSCP, Putty PSCP, and OpenSSH and Sintonen has developed a proof-of-concept attack that can be used to stealthily write/overwrite files in the client SCP target directory, change the directory's permissions, and spoof the client's output.
F-Secure researcher Harry Sintonen identified vulnerabilities in different secure copy protocol (SCP) clients that can be used to install a backdoor or other malware in a company network, steal confidential information, or commit other dangerous activities. The vulnerabilities were uncovered in WinSCP, Putty PSCP, and OpenSSH and Sintonen has developed a proof-of-concept attack that can be used to stealthily write/overwrite files in the client SCP target directory, change the directory's permissions, and spoof the client's output.
Vulnerable RF Remote Controllers Leave Power Machinery Exposed to Attacks (01/14/2019)
A Trend Micro report reveals flaws and new vulnerabilities in radio frequency (RF) remote controllers that were found and disclosed through the vendor's Zero Day Initiative. The publication demonstrates how an attacker could persistently and remotely take control of, or simulate the malfunction of, the attacked machinery. The findings cover RF remote controllers found in cranes, drills, mining machinery, and other industrial devices produced by the seven most commonly deployed vendors. Trend Micro discovered three basic failings in RF controllers: no rolling code; weak or no cryptography; and a lack of software protection. Leveraging these basic weaknesses enabled five remote and local attack types, which are detailed in the report.
A Trend Micro report reveals flaws and new vulnerabilities in radio frequency (RF) remote controllers that were found and disclosed through the vendor's Zero Day Initiative. The publication demonstrates how an attacker could persistently and remotely take control of, or simulate the malfunction of, the attacked machinery. The findings cover RF remote controllers found in cranes, drills, mining machinery, and other industrial devices produced by the seven most commonly deployed vendors. Trend Micro discovered three basic failings in RF controllers: no rolling code; weak or no cryptography; and a lack of software protection. Leveraging these basic weaknesses enabled five remote and local attack types, which are detailed in the report.
Watchdog Points Out Cyber Flaws in Defense Department's Networks (01/14/2019)
The Defense Department's (DOD) networks are at risk for cyber attacks as a result of 266 vulnerabilities - some more than 10 years old - that can be exploited, an inspector general report has found. These bugs had been reported in several documents between July 2017 and June 2018 and two of them dated back to 2008. The report noted that the DOD has taken steps to strengthen its cybersecurity posture by implementing actions to address 19 of the 159 recommendations made in the earlier reports.
The Defense Department's (DOD) networks are at risk for cyber attacks as a result of 266 vulnerabilities - some more than 10 years old - that can be exploited, an inspector general report has found. These bugs had been reported in several documents between July 2017 and June 2018 and two of them dated back to 2008. The report noted that the DOD has taken steps to strengthen its cybersecurity posture by implementing actions to address 19 of the 159 recommendations made in the earlier reports.
XSS Bug Found in Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4 (01/14/2019)
Niagara Enterprise Security, Niagara AX, and Niagara 4 from Tridium are vulnerable to cross-site scripting which can be exploited to allow an authenticated user to inject client-side scripts into some Web pages that could then be viewed by other users. Tridium suggests upgrading to the latest versions of the products to mitigate risks. An advisory from the ICS-CERT provides further details.
Niagara Enterprise Security, Niagara AX, and Niagara 4 from Tridium are vulnerable to cross-site scripting which can be exploited to allow an authenticated user to inject client-side scripts into some Web pages that could then be viewed by other users. Tridium suggests upgrading to the latest versions of the products to mitigate risks. An advisory from the ICS-CERT provides further details.