Category Archives: Vulnerability Assessment

Serious Flaw Found in Many Siemens Industrial Products

Different goods manufactured by Siemens are found defected with a critical vulnerability that can be oppressed by a distant cyberpunk to cause systems to move in a denial-of-service (DoS) situation.

The flaw, tracked as CVE-2017-12741 and rated “high severity,” was reported to Siemens by George Lashenko of industrial cybersecurity firm CyberX.

The list of marked products according to Siemens contains SIMATIC S7-200 Smart micro-PLCs for small automation applications, SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters.

Cyberpunk can cause defected systems to glitch by sending them particularly crafted packets through UDP port 161, which is utilized for the Simple Network Management Protocol – SNMP. So as to improve from the denial-of-service (DoS) form, the devices should be restarted through manual functioning. The justifying causes sector of Siemens’ advisory lists the necessity that the cyberpunk must have network grant for manipulation, and the actual that it instructs organizations to function these devices merely in expected environments.

Though, CyberX stated SecurityWeek that there are approximately 2,000 Siemens devices attainable from the Internet, containing about 400 that have an exposed SNMP port, which could create them vulnerable to the enterprise’s exploit.

“DoS vulnerabilities shouldn’t be taken lightly,” CyberX said. “The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover.”

The security organization stated that Siemens was very receptive to its vulnerability report. The dealer has issued firmware updates that fix the error in few SIMATIC S7, EK-ERTEC, SIMOTION and SINAMICS goods. Siemens mentions deactivating SNMP, which fully mitigates the vulnerability until patches get available for the former marked goods, defending network attain to port 161, smearing protect-in-depth and cell defense perceptions, and utilizing VPNs.

Cisco Fixes Multiple Harmful WebEx Vulnerabilities

Cisco released updates for various elements of its online video conferencing and meeting platform WebEx fix approximately multiple vulnerabilities, containing harmful errors that can be oppressed for faraway code implementation.

An amount of six susceptibilities distressing the WebEx Network Recording Player for Advanced Recording Format – ARF and WebEx Recording Format – WRF files have been categorized as harmful. The influenced player is utilized to play back recorded WebEx meetings, conferences, and seminars. It can be fitted mechanically when a recording data file hosted on a WebEx server is released.

The security and safety holes influencing the Network Recording Player can be oppressed by a faraway cyberpunk to reason a denial-of-service (DoS) situation in the software and perhaps perform random code by attaining the directed user to expose particularly created ARF or WRF files. Cisco identified that the cyberpunk can send the hostile files to sufferers via email or acquire them to expose a web page hosting the data files.

Cisco has fixed the susceptibilities in WebEx Business Suite meeting and conference sites, WebEx Meetings sites, WebEx Meetings Server, and WebEx ARF and WRF Players. The advisory of Cisco offers complete information on influenced versions and the accessibility of patches. The CVE identifiers have been allocated as given below: CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372.

Andrea Micalizzi (rgod) and Steven Seeley of Offensive Security reported the errors to Cisco via Trend Micro’s Zero Day Initiative (ZDI), Fortinet’s Kushal Arvind Shah, and Qihoo 360 researcher Yihan Lian. ZDI has until now to create the advisories for the errors identified by Seeley and Micalizzi public.

Cisco got no sign that the susceptibilities had been oppressed in hostile threats.

Moreover, Lian revealed a moderate sternness DoS susceptibility in the WebEx Network Recording Player. A distant assailant can root the player to smash by receiving the directed user to expose a hostile WRF data file.

The networking giant issued four extra advisories describing WebEx susceptibilities on Wednesday. These feebleness has also been valued “medium severity” and they contain cross-site scripting – XSS and URL rerouting susceptibilities in WebEx Meeting Center, an information revelation virus in Event Center, and an error that can be oppressed to adjust the greeting message in Meeting Server.

Google Reveals Facts of $100K Chrome OS Errors

Google has announced publicly about the facts of a code execution exploit chain for Chrome OS that has received a researcher $100K. Google has declared its purpose to provide up to $100K for an exploit chain in March 2015 that would guide to an obstinate cooperation of a Chromebox or Chromebook in guest manner via a web page. Preceding to that, the organization had existing $50K for such an exploit.

A researcher who utilizes the online nickname Gzob Qq notified Google on September 18 that he had recognized a sequence of susceptibilities that could lead to obstinate code execution on Chrome OS, the system for functioning on Chromebox and Chromebook devices. The exploit chain comprises an out of limits memory obtain error in the V8 JavaScript engine (CVE-2017-15401), an honor appreciation in Page State (CVE-2017-15402), a facility injection fault in the network diag element (CVE-2017-15403), and symlink traversal concerns in clang reporter (CVE-2017-15404) and crypto-homed (CVE-2017-15405).

Gzob Qq, the researcher delivered Google an evidence of perception exploit verified with Chrome 60 and Chrome operating system platform version 9592.94.0. Google covered the vulnerabilities on October 27 with the launching of Chrome OS 62 platform version 9901.54.0/1, which also spoken the recently revealed KRACK susceptibilities. On October 11, Google notified the researcher that he had received the amount $100K Pwnium reward. Pwnium was a one-day hacking event that Google organize every year together with the CanSecWest seminar until February 2015, when it absolute to chance Pwnium into a year program.

The initial report of Gzob Qq’s that defines the complete exploit chain, Google announced publicly last week, along with the warning for each of the vulnerabilities it influences. It was not the first time the researcher has received a $100K reward from Google. Unevenly previous year, he stated a related Chrome OS exploit chain for which he earned the equal amount. One more researcher, named George Hotz had earned $150K at the Pwnium competition back in 2014 for an obstinate Chrome OS exploit.

Threats Revealed in WordPress Sites via ‘Formidable Forms’ Flaws

A researcher found vulnerabilities in a famous WordPress plugin which malicious actors can exploit to obtain approach to sensitive data and hold control of harmful websites.

Formidable Form is a WordPress plugin that lets users to simply generate contact pages, polls and surveys, and several sorts of forms. The plugin is available in both free and paid version that offers additional features and has more than 200,000 active installations. Jouko Pynnönen from Klikki Oy Company, Finland; has examined the plugin and revealed numerous vulnerabilities, containing ones that present critical security threats to the websites utilizing it. The error with the maximum severity is an unsighted SQL injection that can permit attackers to compute a website’s records and acquire their content. Revealed data contains WordPress user credentials and data accepted to a website through Formidable forms.

The researcher also floated one more flaw that reveals data accepted through Formidable forms. Both this and the SQL injection virus are associated with Formidable’s execution of short-codes, WordPress-definite code that lets users increase several sorts of content to their websites with very slight struggle. Pynnonen also exposed mirrored and kept cross site scripting (XSS) susceptibility. The stored XSS lets an attacker implement random JavaScript code in the context of browsing session of administrator – the attacker inserts the malicious code through forms and it executes when observed by the website administrator in the WordPress panel.

The expert similarly observed that if the iThemes Sync WordPress upkeep plugin exists together with Formidable Forms. An attacker can utilize the aforesaid SQL injection error to acquire a user’s ID and a verification key. This data can be utilized to regulate WordPress through iThemes Sync, containing to add original admins or set up plugins. Formidable Forms mentioned the susceptibilities with the publication of different versions 2.05.02 and 2.05.03. iThemes Sync never views the threat vector defined by the researcher as a susceptibility so it did not release a patch.

Pynnonen recognized these errors after being requested to participate in a HackerOne-hosted virus bounty platform that provides rewards of up to $10,000. The platform was run by an unidentified tech company based in Singapore, but the Formidable Forms vulnerabilities capable of a bounty as a result of the element that the plugin had been utilized by the firm. Exploitation of the errors on the tech firm’s website could have permitted an attacker to obtain access to personal evidence and further sensitive data.

However, the researcher received about $4,500 for the SQL injection susceptibility and some hundred dollars for every extra security holes. Still, the researcher is dissatisfied that the Singapore based company moderated the threats posed by the errors and reduced the severity of the SQL injection virus from “dangerous” to “high”.

Pynnonen formerly recognized harmful susceptibilities in Yahoo Mail, WordPress plugins and the WordPress core.

VMware Patches Harmful vCenter Server Susceptibility

A combined severity vulnerabilities had affected The VMware vCenter Server management software that can exploit for attaining information and distant denial-of-service (DoS) threats.

The initial fault was tracked as CVE-2017-4927, is associated with how vCenter Server manages particularly abled LDAP network packets. An invader can exploit the susceptibility distantly to reason a DoS situation. A Fortinet researcher revealed the susceptibility in January, but it was merely authorized in April and marked after few months. Fortinet has released its own recommendation for the security hole and allocated it a threat rating of 3/5.

The main issue was affected vCenter Server 6.0 and 6.5 on a platform and it has been spoken with the publication of different versions 6.0 U3c and 6.5 U1. The second susceptibility, CVE-2017-4928, influences the Flash-based vSphere Web Client; VMware figured out that the HTML5-based application is not impacted. This CVE indicator has truly been allotted to two feebleness revealed by a Tencent researcher in the product: a server-side appeal counterfeit (SSRF) matter and a CRLF injection bug.

“An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure,” VMware said in its advisory.

vCenter Server 5.5 and 6.0 are influenced, and patches are contained in these versions 5.5 U3f and 6.0 U3c. VMware’s release of the susceptibilities corresponds to the announcement of vCenter Server 6.0 U3c. The extra versions that contain patches for these safety holes, 5.5 U3f, and 6.5 U1, were made accessible in mid of September and late July, separately. Version 6.5 U1 similarly patched a reasonable sternness stored cross site scripting (XSS) susceptibility in the vCenter Server H5 Client. The fault can be oppressed by a legitimate attacker to perform malicious JavaScript code in the directed user’s setting.

A bug had also affected versions 5.5, 6.0 and 6.5 of vCenter Server that permits an assailant with partial user rights to misuse an API so as to use the guest functioning system without validation. The fault was revealed at end of July at the security conference named as Black Hat held in Las Vegas, but VMware has solely delivered for overcoming the defect for it.

Numerous Vulnerabilities Discovered in Linux Kernel USB Subsystem

Andrey Konovalov, a researcher at the Google had found out the significant number of vulnerabilities in Linux kernel USB subsystem utilizing the Google Syzkaller fuzzer. Google’s fuzzing tool facilitated Konovalov and found tens of bugs containing twenty-two security flaws that have been allocated CVE identifiers. The expert presented the thorough details in a review published this week that he had discovered about fourteen vulnerabilities.

Konovalov described the vulnerabilities as use-after-free, common security fault, out-of-bounds read, and NULL pointer dereference concerns that can be utilized to source a denial-of-service (DoS) situation. Further, the expert stated few of the flaws might have a distinct influence as well, which naturally means they could let random code implementation.

The researcher also expressed that an attacker requires to have physical access to the aimed system and associate a malicious USB device so as to exploit the vulnerabilities. Some others recommended that an attacker who has faraway access to a machine may be capable to update the firmware on associated USB drives to position exploits for these faults and generate malicious devices.

Konovalov found quite many fixes for numerous vulnerabilities which are contained within Linux kernel versions 4.13.4 and later. Unfortunately, several issues still remain unpatched. On the contrary, Linux distributes ions do not appear too worried about such security and protection holes and allotted them low severity ratings.

The Google researcher not only discovered the flaws in Linux kernel but back in February, he also informed finding in the vicinity exploitable code execution flaw. It had been presented in the kernel for more than eleven years. This double-free susceptibility (CVE-2017-6074) was also distinguished by using the Syzkaller fuzzer. Even, he also revealed it this year in May about the facts of a privilege rapidly increase bug that could be considered unfair via packet sockets. A detailed analysis of quite many CVEs carried out the previous year and presented that the average period of a Linux kernel vulnerability is about five years.

Emergency Fixes for Critical Vulnerability in Identity Manager Released by Oracle

Oracle has recently released an out-of-cycle patch to fix critical vulnerability (CVE-2017-10151), distressing Oracle Identity Manager. It is extensively used business identity management system that is ideal part of any company’s Fusion Middleware contribution.

Image Source

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company said.

The susceptibility has been allocated CVSS v3 support score of 10.0, and can consequence in comprehensive settlement of Oracle Identity Manager via not proven or validated network violence. It is simply malicious purposes, and an effective attack that involves no human collaboration.

The maintained pretentious versions of the product are: 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said, and advised customers to upgrade to supported versions.

There are no additional, precise details or facts related to the fault that were shared, nor was the individuality those who exposed the flaw, or something it is being keenly oppressed in the wild. The protracted maintenance is not yet been tested for the existence of vulnerabilities mentioned by the current security alert warnings. However, it is probable that previous versions of pretentious releases are also influenced by these susceptibilities.

The October 2017 Oracle Critical Patch Update delivered some forty new security and protection fixes solutions for Oracle Fusion Middleware. The upcoming Oracle CPU is planned for 16 January 2018.

The Ships are in Menace due to terrifying errors in Maritime Communication

Image Source

People researching on security, have gone almost serious about security flaws in an oceanic communication.

According to researchers from IOActive, there is satellite-based shipboard communication system called Stratos Global’s AmosConnect 8.4.0 which is susceptible to cyber-attacks. Inmarsat had laid off the research as inappropriate since it is associated to a newly obsolete platform.

The salesperson has also stated about the hacking situation beside its former kit drew by IOActive would be tough to pull off in implementation. Thousands of vessels worldwide was using AmosConnect mobile satellite communications medium. IOActive include the errors found in the technology exposed blind SQL injection in a specific login form along with a backdoor account that permits complete system honors.

According to IOActive’s primary security advisor Mario Ballano, such an account offers a resources for hackers to accomplish random code on the AmosConnect server just to consent any profound information it might comprise wide-open to theft. IOActive notifies that the defects could permit hackers to attain contact to complex information that is stored on AmosConnect servers; such as emails, instant messages, position of reporting and also automatic file transfer. All these means possibly open direct contact to other associated systems or networks.

AmosConnect assists narrow-band satellite communications and incorporates vessel and shore based office applications into a single message system. IOActive notified in October 2016 to Inmarsat of the vulnerabilities, and accomplished the discovery practice in July 2017. Inmarsat has obsolete 8.0 version of this platform with reference that customers return back to AmosConnect 7.0 or shifting to an email resolution from one of their official partners. Inmarsat moderated the importance of the discoveries in reaction to queries about research of IOActive from El Reg, arguing it stopped and obsolete version of its technology that it scheduled to give up work even earlier IOActive update about the security problems.

An Inmarsat spokesman added the “potential vulnerability” would have been “very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Any attempt to enter remotely would have been blocked by Inmarsat’s shoreside firewalls.”

Oceanic Cybersecurity has been continuously accumulating inspection this year subsequently a series of calamities, containing the June GPS deceiving violence including over twenty vessels in the Black Sea. While there was a rumor that the accident concerning the USS John McCain with a chemical-tanker might have been the consequence of cyber interfering in August. Ballano showed his exploration in September and found that he could attain full system privileges, principally being the administrator of the box where AmosConnect is connected. The invader would have gotten access and possibly to further associated networks if there were to be any additional software or information stored in the box.

“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” Ballano said. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime Cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack.”