Security Flaws & Fixes - W/E - 2/1/19
Advantech Updates WebAccess/SCADA to Boot Vulnerabilities (01/28/2019)
Advantech WebAccess/SCADA is vulnerable to improper authentication, authentication bypass, and SQL injection flaws. Version 8.3 is affected, but the vendor has released version 8.3.5 of WebAccess/SCADA to alleviate issues. Further information is available from an ICS-CERT advisory.
Advantech WebAccess/SCADA is vulnerable to improper authentication, authentication bypass, and SQL injection flaws. Version 8.3 is affected, but the vendor has released version 8.3.5 of WebAccess/SCADA to alleviate issues. Further information is available from an ICS-CERT advisory.
Attackers Exploit Vulnerability in Cisco RV320/RV325 Routers (01/28/2019)
Honeypots belonging to Bad Packets Report detected multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allows a remote unauthenticated information disclosure and leads to a remote code execution. Over 9,000 routers are open to attacks. Cisco issued an advisory and firmware updates for this issue.
Honeypots belonging to Bad Packets Report detected multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allows a remote unauthenticated information disclosure and leads to a remote code execution. Over 9,000 routers are open to attacks. Cisco issued an advisory and firmware updates for this issue.
Critical DNS Updates to Roll Out on February 1 (01/30/2019)
Several DNS resolver operators, including PowerDNS, Internet System Consortium (ISC), and Google, will release updates that implement stricter Extension Mechanisms Protocol for DNS (EDNS) handling on February 1. EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol and the update will simplify the deployment of future features. The Multi-State Information Sharing & Analysis Center (MS-ISAC) has issued an alert regarding these updates.
Several DNS resolver operators, including PowerDNS, Internet System Consortium (ISC), and Google, will release updates that implement stricter Extension Mechanisms Protocol for DNS (EDNS) handling on February 1. EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol and the update will simplify the deployment of future features. The Multi-State Information Sharing & Analysis Center (MS-ISAC) has issued an alert regarding these updates.
Google Chrome 72 Released on January 29 (01/30/2019)
Google released Chrome 72 to the stable channel for Windows, Mac and Linux. This update consists of 58 security fixes.
Google released Chrome 72 to the stable channel for Windows, Mac and Linux. This update consists of 58 security fixes.
Insufficiently Protected Credentials Possible in AVEVA Wonderware System Platform (01/30/2019)
The Wonderware System Platform from AVEVA does not adequately protect credentials, according to an ICS-CERT advisory. The platform uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account. AVEVA recommends users using Wonderware System Platform 2017 Update 2 and prior should upgrade to System Platform 2017 Update 3 as soon as possible.
The Wonderware System Platform from AVEVA does not adequately protect credentials, according to an ICS-CERT advisory. The platform uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account. AVEVA recommends users using Wonderware System Platform 2017 Update 2 and prior should upgrade to System Platform 2017 Update 3 as soon as possible.
Mitsubishi Electric Addresses Vulnerability in MELSEC-Q Series PLCs (01/30/2019)
Mitigations are available for a resource exhaustion vulnerability in Mitsubishi Electric's MELSEC-Q series PLCs. In addition to applying a new version of the firmware to alleviate risks, users should operate the affected device behind a firewall. TheICS-CERT has posted an advisory.
Mitigations are available for a resource exhaustion vulnerability in Mitsubishi Electric's MELSEC-Q series PLCs. In addition to applying a new version of the firmware to alleviate risks, users should operate the affected device behind a firewall. TheICS-CERT has posted an advisory.
Mozilla Releases Security Updates, Adds Privacy Controls for Firefox (01/30/2019)
Mozilla posted updates for Thunderbird, fixing critical vulnerabilities in versions prior to 60.5. Updates for Firefox and Firefox ESR also alleviate several critical and high level security issues. With the release of Firefox 65, Mozilla delivered improved controls for the Content Blocking section so that users can decide which level of privacy protection they want.
Mozilla posted updates for Thunderbird, fixing critical vulnerabilities in versions prior to 60.5. Updates for Firefox and Firefox ESR also alleviate several critical and high level security issues. With the release of Firefox 65, Mozilla delivered improved controls for the Content Blocking section so that users can decide which level of privacy protection they want.
NTLM Relay Attacks Possible in Microsoft Exchange Server 2013 and Newer (01/29/2019)
The CERT Coordination Center (CERT/CC) has released information to address NTLM relay attacks affecting Microsoft Exchange 2013 and newer versions. These versions fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server. There is no practical solution to this issue at this time but the CERT/CC has published an advisory with workarounds.
The CERT Coordination Center (CERT/CC) has released information to address NTLM relay attacks affecting Microsoft Exchange 2013 and newer versions. These versions fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server. There is no practical solution to this issue at this time but the CERT/CC has published an advisory with workarounds.
Phoenix Contact's FL SWITCH Devices Have Vulnerabilities (01/28/2019)
Phoenix Contact recommends that users of FL SWITCH devices update the firmware to Version 1.35 or higher to alleviate various security issues. It is also recommended that users contact the vendor to enable HTTP security. The ICS-CERT has posted an advisory regarding the vulnerabilities.
Phoenix Contact recommends that users of FL SWITCH devices update the firmware to Version 1.35 or higher to alleviate various security issues. It is also recommended that users contact the vendor to enable HTTP security. The ICS-CERT has posted an advisory regarding the vulnerabilities.
Security Issue in BD FACSLyric Results in ICS-CERT-Issued Advisory (01/30/2019)
Becton, Dickinson and Company's (BD) FACSLyric is vulnerable to an improper access control vulnerability. This issue does not impact BD FACSLyric flow cytometry systems using the Windows 7 Operating System. Further information is available from an ICS-CERT advisory.
Becton, Dickinson and Company's (BD) FACSLyric is vulnerable to an improper access control vulnerability. This issue does not impact BD FACSLyric flow cytometry systems using the Windows 7 Operating System. Further information is available from an ICS-CERT advisory.
Stryker Medical Products Vulnerable to Data Injection (01/30/2019)
Some Stryker medical beds can be exploited by a vulnerability that could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data. Software updates have been issued for some products and mitigation techniques are also available. The ICS-CERT has issued an advisory.
Some Stryker medical beds can be exploited by a vulnerability that could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data. Software updates have been issued for some products and mitigation techniques are also available. The ICS-CERT has issued an advisory.
Total Donations Plugin for WordPress Compromised by Multiple Critical Bugs (01/28/2019)
Researchers at WordFence identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. The scientists suggest that site owners using Total Donations delete - not just deactivate - the vulnerable plugin as soon as possible to secure their sites.
Researchers at WordFence identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. The scientists suggest that site owners using Total Donations delete - not just deactivate - the vulnerable plugin as soon as possible to secure their sites.
Updates Remedy Vulnerability in Yokogawa License Manager Service (01/30/2019)
Yokogawa License Manager Service contains a bug that could enable an attacker to remotely upload files, allowing execution of arbitrary code. According to the ICS-CERT, Kaspersky Lab identified the bug and reported it. Yokogawa recommends users of affected devices and versions update to the latest available release.
Yokogawa License Manager Service contains a bug that could enable an attacker to remotely upload files, allowing execution of arbitrary code. According to the ICS-CERT, Kaspersky Lab identified the bug and reported it. Yokogawa recommends users of affected devices and versions update to the latest available release.