Security Flaws & Fixes - W/E - 2/8/19
Advice Provided for Marvell Avastar Wi-Fi Vulnerability (02/06/2019)
The CERT Coordination Center warned that some Marvell Avastar wireless system on chip (SoC) models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. An unauthenticated attacker within Wi-Fi radio range may be able to use a specially-crafted series of Wi-Fi frames to execute arbitrary code on a system with a vulnerable Marvell SoC. Depending on implementation, the compromised SoC may then be used to intercept network traffic or achieve code execution on the host system. According to the vendor, Marvell representatives should be contacted for additional support. Microsoft issued an update to Surface Pro 3 devices on Windows 10 Creators Update, version 1703 or greater.
The CERT Coordination Center warned that some Marvell Avastar wireless system on chip (SoC) models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. An unauthenticated attacker within Wi-Fi radio range may be able to use a specially-crafted series of Wi-Fi frames to execute arbitrary code on a system with a vulnerable Marvell SoC. Depending on implementation, the compromised SoC may then be used to intercept network traffic or achieve code execution on the host system. According to the vendor, Marvell representatives should be contacted for additional support. Microsoft issued an update to Surface Pro 3 devices on Windows 10 Creators Update, version 1703 or greater.
AVEVA InduSoft Web Studio and InTouch Edge HMI Are Vulnerable to Attacks (02/06/2019)
Exploitation of vulnerabilities in AVEVA's InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition) could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file. AVEVA recommends affected users upgrade to the latest version of affected products. The ICS-CERT posted an advisory with further information.
Exploitation of vulnerabilities in AVEVA's InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition) could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file. AVEVA recommends affected users upgrade to the latest version of affected products. The ICS-CERT posted an advisory with further information.
Check Point Finds Holes in Remote Desktop Protocol, Some Fixes Available (02/05/2019)
Vulnerabilities in the Remote Desktop Protocol (RDP) could allow a malicious actor to reverse the usual direction of communication and infect the computer, resulting in a complete IT network intrusion. Check Point Software found a total of 25 vulnerabilities in RDP, 16 of which are major issues. The vendor uncovered 19 overall vulnerabilities in the rdesktop client, including two remote code execution bugs; and six overall bugs in FreeRDP, including same-integer overflow and remote code execution issues. Check Point also reverse-engineered Microsoft's Mstsc.exe RDP client and found a path traversal vulnerability. FreeRDP and rdesktop have since released fixes. Microsoft was contacted and stated, "We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows..."
Vulnerabilities in the Remote Desktop Protocol (RDP) could allow a malicious actor to reverse the usual direction of communication and infect the computer, resulting in a complete IT network intrusion. Check Point Software found a total of 25 vulnerabilities in RDP, 16 of which are major issues. The vendor uncovered 19 overall vulnerabilities in the rdesktop client, including two remote code execution bugs; and six overall bugs in FreeRDP, including same-integer overflow and remote code execution issues. Check Point also reverse-engineered Microsoft's Mstsc.exe RDP client and found a path traversal vulnerability. FreeRDP and rdesktop have since released fixes. Microsoft was contacted and stated, "We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows..."
Disable SNMP in Rockwell Automation EtherNet/IP Web Server Modules for Risk Mitigation (02/06/2019)
An ICS-CERT alert offers information regarding an improper input validation bug in Rockwell Automation's EtherNet/IP Web Server Modules. Successful exploitation of this vulnerability could allow a remote attacker to deny communication with the Simple Network Management Protocol (SNMP) service. Rockwell Automation recommends that affected users disable the SNMP service if not in use.
An ICS-CERT alert offers information regarding an improper input validation bug in Rockwell Automation's EtherNet/IP Web Server Modules. Successful exploitation of this vulnerability could allow a remote attacker to deny communication with the Simple Network Management Protocol (SNMP) service. Rockwell Automation recommends that affected users disable the SNMP service if not in use.
European Commission Concerned about Privacy Issues Surrounding Kids' Smart Watch (02/06/2019)
The European Commission (EC) has ordered a recall of the Safe-KID-One smart watch for children due to the mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. The data such as location history, phone numbers, and serial number can be retrieved and changed. A malicious user can send commands to any watch making it call another number of his or her choosing, can communicate with the child wearing the device, or locate the child through GPS. The Commission said that the smart watch does not comply with its radio equipment directive.
The European Commission (EC) has ordered a recall of the Safe-KID-One smart watch for children due to the mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. The data such as location history, phone numbers, and serial number can be retrieved and changed. A malicious user can send commands to any watch making it call another number of his or her choosing, can communicate with the child wearing the device, or locate the child through GPS. The Commission said that the smart watch does not comply with its radio equipment directive.
Google Stomps Out 11 Critical Bugs in February's Batch of Android Fixes (02/05/2019)
Google patched three critical Android Framework vulnerabilities including one that could enable a remote attacker using a specially crafted Portable Network Graphics file to execute arbitrary code in its February Android Security Bulletin. A total of 11 critical bugs were fixed.
Google patched three critical Android Framework vulnerabilities including one that could enable a remote attacker using a specially crafted Portable Network Graphics file to execute arbitrary code in its February Android Security Bulletin. A total of 11 critical bugs were fixed.
Microsoft Advises on Exchange Server Elevation of Privilege Vulnerability (02/06/2019)
An elevation of privilege vulnerability exists in Microsoft Exchange Server that could allow an attacker to attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to an Exchange Server, thereby allowing impersonation of another Exchange user. An update is in development and Microsoft issued an advisory with mitigation steps for the meantime.
An elevation of privilege vulnerability exists in Microsoft Exchange Server that could allow an attacker to attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to an Exchange Server, thereby allowing impersonation of another Exchange user. An update is in development and Microsoft issued an advisory with mitigation steps for the meantime.
NIST Releases Status Report on Round 2 of the PQC Standardization Process (02/04/2019)
The NIST published Internal Report 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process. This publication provides information on the 26 candidate algorithms that have advanced to the second round of the NIST Post-Quantum Cryptography standardization process.
The NIST published Internal Report 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process. This publication provides information on the 26 candidate algorithms that have advanced to the second round of the NIST Post-Quantum Cryptography standardization process.
NSA Updates Guidance for Side-Channel Vulnerabilities Affecting Processors (02/04/2019)
The National Security Agency (NSA) has released updated information on a set of side-channel vulnerabilities affecting modern computer processors. This document provides mitigation actions and other sites that can be referenced for alleviating risks.
The National Security Agency (NSA) has released updated information on a set of side-channel vulnerabilities affecting modern computer processors. This document provides mitigation actions and other sites that can be referenced for alleviating risks.
RCE or DoS Possible in Kunbus PR100088 Modbus Gateway (02/06/2019)
The PR100088 Modbus gateway from Kunbus is vulnerable to several critical bugs which could result in a denial-of-service condition or enable an attacker to launch a remote code execution. An ICS-CERT advisory illustrates mitigation steps to reduce the risks from these vulnerabilities.
The PR100088 Modbus gateway from Kunbus is vulnerable to several critical bugs which could result in a denial-of-service condition or enable an attacker to launch a remote code execution. An ICS-CERT advisory illustrates mitigation steps to reduce the risks from these vulnerabilities.
RCE Via Macro Bug Patched in LibreOffice but OpenOffice Users Still Vulnerable (02/07/2019)
A remote code execution issue can occur in LibreOffice and Apache OpenOffice if a user opens a malicious ODT file and moves the mouse over the document, without triggering any warning dialog. Security researcher Alex Inführ found the vulnerability, reported it, and published a proof-of-concept code. In an advisory, the Document Foundation, the developer of LibreOffice, fixed the bug and stated, "Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location." However, the bug also affects OpenOffice and a fix has yet to be issued.
A remote code execution issue can occur in LibreOffice and Apache OpenOffice if a user opens a malicious ODT file and moves the mouse over the document, without triggering any warning dialog. Security researcher Alex Inführ found the vulnerability, reported it, and published a proof-of-concept code. In an advisory, the Document Foundation, the developer of LibreOffice, fixed the bug and stated, "Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location." However, the bug also affects OpenOffice and a fix has yet to be issued.
Researcher Points Out Unpatched macOS Password-Stealing Vulnerability (02/06/2019)
A zero-day hole in macOS Mojave allows a malicious app to gain access to passwords stored within the Keychain. Security researcher Linus Henze published a video to describe his findings but has yet to release a proof-of-concept code. Henze said that the malicious app does not require administrative privileges to swipe the passwords. Henze did not report the vulnerability to Apple as the company does not have a bug bounty program. He told ZDNet, "Even if it looks like I'm doing this just for money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program."
A zero-day hole in macOS Mojave allows a malicious app to gain access to passwords stored within the Keychain. Security researcher Linus Henze published a video to describe his findings but has yet to release a proof-of-concept code. Henze said that the malicious app does not require administrative privileges to swipe the passwords. Henze did not report the vulnerability to Apple as the company does not have a bug bounty program. He told ZDNet, "Even if it looks like I'm doing this just for money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program."
Researchers Find Critical Privacy Vulnerabilities in 5G (02/04/2019)
Scientists with SINTEF Digital (Norway), ETH Zürich, and the Technical University of Berlin have identified a privacy attack that targets the Authentication and Key Agreement (AKA) protocol, including 5G AKA. The team found a logical vulnerability in the protocol specification that can be used to break the confidentiality of the sequence number, which is a key component of AKA. A criminal could use the attack method along with fake mobile towers to monitor mobile user activity, create profiles on these users, and then use the profiles to check activity remotely.
Scientists with SINTEF Digital (Norway), ETH Zürich, and the Technical University of Berlin have identified a privacy attack that targets the Authentication and Key Agreement (AKA) protocol, including 5G AKA. The team found a logical vulnerability in the protocol specification that can be used to break the confidentiality of the sequence number, which is a key component of AKA. A criminal could use the attack method along with fake mobile towers to monitor mobile user activity, create profiles on these users, and then use the profiles to check activity remotely.
Security Holes Can Be Exploited in IDenticard PremiSys (02/04/2019)
The IDenticard PremiSys, an access control system, contains several critical vulnerabilities which could allow an attacker to view sensitive information via backups, obtain access to credentials, and/or obtain full access to the system with admin privileges, according to an ICS-CERT advisory. One update has been released and further updates are forthcoming.
The IDenticard PremiSys, an access control system, contains several critical vulnerabilities which could allow an attacker to view sensitive information via backups, obtain access to credentials, and/or obtain full access to the system with admin privileges, according to an ICS-CERT advisory. One update has been released and further updates are forthcoming.
Update Mitigates Bugs in Schneider Electric EVLink Parking (02/04/2019)
The ICS-CERT posted an advisory for Schneider Electric's EVLink Parking, an electric vehicle charging station due to the use of hard-coded credentials, code injection, and SQL injection vulnerabilities. Schneider Electric recommends users set up a firewall to restrict remote access to the charging stations by unauthorized users. A software update is also available for download to mitigate these vulnerabilities.
The ICS-CERT posted an advisory for Schneider Electric's EVLink Parking, an electric vehicle charging station due to the use of hard-coded credentials, code injection, and SQL injection vulnerabilities. Schneider Electric recommends users set up a firewall to restrict remote access to the charging stations by unauthorized users. A software update is also available for download to mitigate these vulnerabilities.
WECON Releases Security Update for LeviStudioU (02/06/2019)
Multiple vulnerabilities have been mitigated with an updated version for LeviStudioU Versions 1.8.56 and prior from WECON. These issues, according to an ICS-CERT advisory, could allow attackers to execute arbitrary code. Affected parties can contact WECON customer service for more information about how to obtain the updated version.
Multiple vulnerabilities have been mitigated with an updated version for LeviStudioU Versions 1.8.56 and prior from WECON. These issues, according to an ICS-CERT advisory, could allow attackers to execute arbitrary code. Affected parties can contact WECON customer service for more information about how to obtain the updated version.