Category Archives: Vulnerability Assessment

Emergency Fixes for Critical Vulnerability in Identity Manager Released by Oracle

Oracle has recently released an out-of-cycle patch to fix critical vulnerability (CVE-2017-10151), distressing Oracle Identity Manager. It is extensively used business identity management system that is ideal part of any company’s Fusion Middleware contribution.

Image Source

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company said.

The susceptibility has been allocated CVSS v3 support score of 10.0, and can consequence in comprehensive settlement of Oracle Identity Manager via not proven or validated network violence. It is simply malicious purposes, and an effective attack that involves no human collaboration.

The maintained pretentious versions of the product are: 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said, and advised customers to upgrade to supported versions.

There are no additional, precise details or facts related to the fault that were shared, nor was the individuality those who exposed the flaw, or something it is being keenly oppressed in the wild. The protracted maintenance is not yet been tested for the existence of vulnerabilities mentioned by the current security alert warnings. However, it is probable that previous versions of pretentious releases are also influenced by these susceptibilities.

The October 2017 Oracle Critical Patch Update delivered some forty new security and protection fixes solutions for Oracle Fusion Middleware. The upcoming Oracle CPU is planned for 16 January 2018.

The Ships are in Menace due to terrifying errors in Maritime Communication

Image Source

People researching on security, have gone almost serious about security flaws in an oceanic communication.

According to researchers from IOActive, there is satellite-based shipboard communication system called Stratos Global’s AmosConnect 8.4.0 which is susceptible to cyber-attacks. Inmarsat had laid off the research as inappropriate since it is associated to a newly obsolete platform.

The salesperson has also stated about the hacking situation beside its former kit drew by IOActive would be tough to pull off in implementation. Thousands of vessels worldwide was using AmosConnect mobile satellite communications medium. IOActive include the errors found in the technology exposed blind SQL injection in a specific login form along with a backdoor account that permits complete system honors.

According to IOActive’s primary security advisor Mario Ballano, such an account offers a resources for hackers to accomplish random code on the AmosConnect server just to consent any profound information it might comprise wide-open to theft. IOActive notifies that the defects could permit hackers to attain contact to complex information that is stored on AmosConnect servers; such as emails, instant messages, position of reporting and also automatic file transfer. All these means possibly open direct contact to other associated systems or networks.

AmosConnect assists narrow-band satellite communications and incorporates vessel and shore based office applications into a single message system. IOActive notified in October 2016 to Inmarsat of the vulnerabilities, and accomplished the discovery practice in July 2017. Inmarsat has obsolete 8.0 version of this platform with reference that customers return back to AmosConnect 7.0 or shifting to an email resolution from one of their official partners. Inmarsat moderated the importance of the discoveries in reaction to queries about research of IOActive from El Reg, arguing it stopped and obsolete version of its technology that it scheduled to give up work even earlier IOActive update about the security problems.

An Inmarsat spokesman added the “potential vulnerability” would have been “very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Any attempt to enter remotely would have been blocked by Inmarsat’s shoreside firewalls.”

Oceanic Cybersecurity has been continuously accumulating inspection this year subsequently a series of calamities, containing the June GPS deceiving violence including over twenty vessels in the Black Sea. While there was a rumor that the accident concerning the USS John McCain with a chemical-tanker might have been the consequence of cyber interfering in August. Ballano showed his exploration in September and found that he could attain full system privileges, principally being the administrator of the box where AmosConnect is connected. The invader would have gotten access and possibly to further associated networks if there were to be any additional software or information stored in the box.

“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” Ballano said. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime Cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack.”