Security Flaws & Fixes - W/E - 8/9/19
Advisories Issued for 3S-Smart Software CODESYS V3 (08/06/2019)
Successful exploitation of vulnerabilities in 3S-Smart Software's CODESYS V3 could allow a remote attacker to close existing communication channels or to take over an already established user session to send crafted packets to a programmable logic controller. New versions have been released to mitigate risks. Interested parties can read the ICS-CERT's advisory regarding these issues. A separate advisory discusses insufficiently protected credentials in CODESYS V3.
Successful exploitation of vulnerabilities in 3S-Smart Software's CODESYS V3 could allow a remote attacker to close existing communication channels or to take over an already established user session to send crafted packets to a programmable logic controller. New versions have been released to mitigate risks. Interested parties can read the ICS-CERT's advisory regarding these issues. A separate advisory discusses insufficiently protected credentials in CODESYS V3.
Android Security Bulletin Contains Critical System Component Patch (08/06/2019)
Google's August Android Bulletin contains at least 25 security fixes for the operating system. According to the vendor, the most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.
Google's August Android Bulletin contains at least 25 security fixes for the operating system. According to the vendor, the most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.
Cisco Kills Off RCE Bugs in Network Switches (08/07/2019)
To address multiple vulnerabilities in its Small Business 220 Series Smart Switches, Cisco released updates and an advisory. The updates mitigate remote code execution issues that could enable an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. Cisco also patched vulnerabilities across other products, releasing more than 20 advisories on August 7.
To address multiple vulnerabilities in its Small Business 220 Series Smart Switches, Cisco released updates and an advisory. The updates mitigate remote code execution issues that could enable an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. Cisco also patched vulnerabilities across other products, releasing more than 20 advisories on August 7.
Fuji Electric Updates FRENIC Loader (08/06/2019)
Fuji Electric's FRENIC Loader, an AC drive, contains an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device. A new version has been released, according to an ICS-CERT advisory.
Fuji Electric's FRENIC Loader, an AC drive, contains an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device. A new version has been released, according to an ICS-CERT advisory.
Google Chrome Receives Security Updates (08/08/2019)
Google updated Chrome to version 76.0.3809.100 for Windows, Mac, and Linux. This version mitigates four security flaws, including a use-after-free in PDFium ExecuteFieldAction.
Google updated Chrome to version 76.0.3809.100 for Windows, Mac, and Linux. This version mitigates four security flaws, including a use-after-free in PDFium ExecuteFieldAction.
Misconfiguration in JIRA Leaked Data for NASA, Google, Other Entities (08/06/2019)
Security researcher Avinash Jain shared details about a misconfiguration in the JIRA project management software, which was responsible for leaking data from numerous organization, including NASA, Google, Lenovo, and Yahoo. JIRA is an Atlassian task tracking systems/project management software used by around 135,000 companies and organizations globally. The issue pertained to the wrong permissions being assigned to the creating of filters or dashboards in JIRA. Jain said, "When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility is set to `All users' and `Everyone' respectively, which instead of sharing with everyone of the organizations (which people think and interpret), it share them [publicly]."
Security researcher Avinash Jain shared details about a misconfiguration in the JIRA project management software, which was responsible for leaking data from numerous organization, including NASA, Google, Lenovo, and Yahoo. JIRA is an Atlassian task tracking systems/project management software used by around 135,000 companies and organizations globally. The issue pertained to the wrong permissions being assigned to the creating of filters or dashboards in JIRA. Jain said, "When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility is set to `All users' and `Everyone' respectively, which instead of sharing with everyone of the organizations (which people think and interpret), it share them [publicly]."
Bitdefender discovered a new security vulnerability that affects all modern Intel CPUs which leverage speculative-execution, potentially letting hackers access passwords, tokens, private conversations, encryption, and other sensitive data. Every machine using newer Intel processors which leverage speculative-execution and running Windows is affected. The vulnerability delivers a side-channel attack that gives the attacker a method to access all information in the operating system kernel memory and bypasses all known mitigations implemented after the discovery of Spectre and Meltdown in early 2018. Bitdefender has worked with Intel for more than a year on public disclosure of this attack and Microsoft released an advisory to provide more details about how the Windows kernel is impacted. A Microsoft security update on July 9 addressed the vulnerability through a software change that mitigates how the CPU speculatively accesses memory. The Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory pertaining to this Spectre variant, which is dubbed "SWAPGS."
NVIDIA GPU Display Driver, SHIELD TV Receive Critical Security Updates (08/06/2019)
NVIDIA released a software security update for the GPU Display Driver. This update addresses issues that may lead to local code execution, denial-of-service, or escalation of privileges. The vendor also issued updates for NVIDIA SHIELD TV to address issues that may lead to information disclosure, code execution, or escalation of privileges.
NVIDIA released a software security update for the GPU Display Driver. This update addresses issues that may lead to local code execution, denial-of-service, or escalation of privileges. The vendor also issued updates for NVIDIA SHIELD TV to address issues that may lead to information disclosure, code execution, or escalation of privileges.
OpenDreamBox 2.0.0 WebAdmin Plugin Flaw Allows for Remote Command Execution (08/08/2019)
Check Point Software's July Global Threat Index details a vulnerability in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organizations globally. This flaw enables attackers to execute commands remotely on target machines. The exploit was triggered alongside other attacks targeting Internet of Things devices, in particular with the MVPower DVR Remote Code Execution, which is known to be related to the Mirai botnet. The report also noted that XMRig, Jsecoin, and Dorkbot were the three most prominent malware samples in circulation during the month of July.
Check Point Software's July Global Threat Index details a vulnerability in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organizations globally. This flaw enables attackers to execute commands remotely on target machines. The exploit was triggered alongside other attacks targeting Internet of Things devices, in particular with the MVPower DVR Remote Code Execution, which is known to be related to the Mirai botnet. The report also noted that XMRig, Jsecoin, and Dorkbot were the three most prominent malware samples in circulation during the month of July.
Qualcomm Chip Flaws Expose Android Devices to Attackers (08/06/2019)
Tencent researchers have uncovered serious flaws in Qualcomm chips, including a bug that allows attackers to compromise the WLAN and modem over-the-air. The other vulnerability enables attackers to infiltrate the Android kernel from the WLAN chip. The complete exploit chain can result in a full compromise of the Android kernel over-the-air in certain circumstances. Although only the Google Pixel2/Pixel3 chips were tested, the scientists consider that unpatched phones running on Qualcomm Snapdragon 835,845 may be vulnerable. Qualcomm has released fixes. Google also addressed these bugs with updates.
Tencent researchers have uncovered serious flaws in Qualcomm chips, including a bug that allows attackers to compromise the WLAN and modem over-the-air. The other vulnerability enables attackers to infiltrate the Android kernel from the WLAN chip. The complete exploit chain can result in a full compromise of the Android kernel over-the-air in certain circumstances. Although only the Google Pixel2/Pixel3 chips were tested, the scientists consider that unpatched phones running on Qualcomm Snapdragon 835,845 may be vulnerable. Qualcomm has released fixes. Google also addressed these bugs with updates.
Reminder: Update CylancePROTECT Immediately to Counter Antivirus Bypass (08/06/2019)
The CERT Coordination Center is reminding BlackBerry Cylance users to update CylancePROTECT immediately. Existing vulnerabilities could enable an adversary to craft malicious files that the antivirus product will likely mistake for benign files. BlackBerry Cylance issued patches on July 21.
The CERT Coordination Center is reminding BlackBerry Cylance users to update CylancePROTECT immediately. Existing vulnerabilities could enable an adversary to craft malicious files that the antivirus product will likely mistake for benign files. BlackBerry Cylance issued patches on July 21.
Researchers Find More WPA3 Protocol Dragonfly Handshake Vulnerabilities (08/06/2019)
The researchers who initially uncovered the Dragonblood vulnerabilities, critical issues surrounding the WPA3 protocol's Dragonfly handshake, say that the Wi-Fi Alliance's security recommendations for remediation are flawed. Mathy Vanhoef and Eyal Ronen warned that the Brainpool curves which the Wi-Fi Alliance claimed were safe to use, actually introduce a new class of side-channel attacks in the Dragonfly handshake of WPA3. The new side-channel leak is located in the password encoding algorithm of Dragonfly. This algorithm first tries to find a hash output that is smaller than the prime of the elliptic curve being used. Vanhoef and Ronen said, With the default NIST curves, such a hash output is practically always found immediately. However, with Brainpool curves, several iterations may have to be executed before finding a hash output smaller than the prime. The number of iterations that didn't have such a valid hash output depends on the password being used and on the MAC address of the client. Simplified, the resulting timing and execution differences can be measured by an adversary."
The researchers who initially uncovered the Dragonblood vulnerabilities, critical issues surrounding the WPA3 protocol's Dragonfly handshake, say that the Wi-Fi Alliance's security recommendations for remediation are flawed. Mathy Vanhoef and Eyal Ronen warned that the Brainpool curves which the Wi-Fi Alliance claimed were safe to use, actually introduce a new class of side-channel attacks in the Dragonfly handshake of WPA3. The new side-channel leak is located in the password encoding algorithm of Dragonfly. This algorithm first tries to find a hash output that is smaller than the prime of the elliptic curve being used. Vanhoef and Ronen said, With the default NIST curves, such a hash output is practically always found immediately. However, with Brainpool curves, several iterations may have to be executed before finding a hash output smaller than the prime. The number of iterations that didn't have such a valid hash output depends on the password being used and on the MAC address of the client. Simplified, the resulting timing and execution differences can be measured by an adversary."
Rockwell Automation Updates Arena Simulation Software (08/06/2019)
Rockwell Automation's Arena Simulation Software is affected by use-after-free and information exposure vulnerabilities. Version 16.00.01 has been released to mitigate these risks. Users can read the advisory that has been issued by the ICS-CERTfor further information.
Rockwell Automation's Arena Simulation Software is affected by use-after-free and information exposure vulnerabilities. Version 16.00.01 has been released to mitigate these risks. Users can read the advisory that has been issued by the ICS-CERTfor further information.
Security Issues Detected in LCDS LAquis SCADA (08/06/2019)
LAquis SCADA from LCDS is vulnerable to two different flaws, an ICS-CERT advisory reveals. If exploited, an attacker could obtain confidential information or execute remote code. LCDS recommends users update to Version 4.3.1.323.
LAquis SCADA from LCDS is vulnerable to two different flaws, an ICS-CERT advisory reveals. If exploited, an attacker could obtain confidential information or execute remote code. LCDS recommends users update to Version 4.3.1.323.
Starbucks Database Flaw Leaked Info on One Million Accounting Records (08/07/2019)
Security researcher Eugene Lim disclosed details regarding a SQL injection vulnerability in an enterprise financial/accounting software platform used by Starbucks. The flaw exposed one million records stored in the coffee chain's accounting database. Starbucks was running the Microsoft Dynamics AX enterprise resource planning platform, which contained the bugs. Lim notified Starbucks and received a $4,000 USD bounty for his work.
Security researcher Eugene Lim disclosed details regarding a SQL injection vulnerability in an enterprise financial/accounting software platform used by Starbucks. The flaw exposed one million records stored in the coffee chain's accounting database. Starbucks was running the Microsoft Dynamics AX enterprise resource planning platform, which contained the bugs. Lim notified Starbucks and received a $4,000 USD bounty for his work.
Updated Version Released for Advantech WebAccess HMI Designer (08/06/2019)
An out-of-bounds write vulnerability in Advantech WebAccess HMI Designer could allow an attacker to remotely execute arbitrary code. The vendor released version 2.1.9.31 of WebAccess HMI Designer to address the reported vulnerability. Further details are available from an ICS-CERT advisory.
An out-of-bounds write vulnerability in Advantech WebAccess HMI Designer could allow an attacker to remotely execute arbitrary code. The vendor released version 2.1.9.31 of WebAccess HMI Designer to address the reported vulnerability. Further details are available from an ICS-CERT advisory.
Updates Boot Pixel Shader Bugs in VMware Products (08/06/2019)
VMware has released updates for ESXi, Workstation, and Fusion to address out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.
VMware has released updates for ESXi, Workstation, and Fusion to address out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.
WhatsApp Flaws Enable Manipulation of Messages (08/08/2019)
Scientists at Check Point Software have advised that it is possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources via the WhatsApp messaging application. The researchers warned WhatsApp of three critical vulnerabilities in 2018 and one of the bugs was patched. The issues lie in the ability to spoof reply messages to impersonate others and also to manipulate messages on behalf of other people. Check Point has said, "we believe these vulnerabilities to be of the utmost importance and require attention."
Scientists at Check Point Software have advised that it is possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources via the WhatsApp messaging application. The researchers warned WhatsApp of three critical vulnerabilities in 2018 and one of the bugs was patched. The issues lie in the ability to spoof reply messages to impersonate others and also to manipulate messages on behalf of other people. Check Point has said, "we believe these vulnerabilities to be of the utmost importance and require attention."