Fuzz Testing

Fuzz testing, or fuzzing which is a form of software testing that involves providing invalid, unexpected or random data input to the software application in an attempt to make it crash  (Rouse, 2016).  The concept behind fuzz testing is that software can have a lot of different bugs relating to data input.  For example, the input includes of different kinds of integers, character strings, floats and other variables which, if not entered correctly, may cause the software application to crash. A common example is an integer field that is meant to accommodate a few specific numbers such as one through five, but where a user can enter any integer because of the generic setup of the input field or control. Entering a value higher than five can cause the software application to crash (Techopedia, 2016).  From a security standpoint, if the fuzz testing causes the software application to crash it has a number of security concerns, least of which is the denial of service or availability or more severely the vulnerability that caused the crash could lead to exploitation by an attacker (Allen, 2010).  Fuzz testing is often employed as a form of black box testing, or testing a software application without knowing how the code works or how the software was designed (Beal, V, 2016).

In order to fuzz test a software application a program called a fuzzer is used.  A fuzzer generates and injects random data into a program and program stack to detect bugs or vulnerabilities.  The type of vectors that a fuzzer can inject into a program can be broken up into four categories: numbers such as integers, chars such as urls or command line inputs, metadata such as user-input and pure binary. Some “known to be dangerous” values of these categories are the following: for numbers, zeros or negative numbers; for chars, interpretable characters; and for binary, random ones. (OWASP, 2016 June 23).  Any type of inputs can be fuzz tested, file formats, network protocols, environment variables, API calls, keyboard and mouse events. Even other items that are not input can be fuzzed such as shared memory or the contents of databases (2016 Nov. 21, “Fuzz testing”).

Focusing back on Fuzzers, below is a short list of some open source fuzzers:

  • Afl-fuzz  –  designed to be practical with minimum effort requiring virtually no configuration, seamlessly handling complex real world cases such as image parsing. afl-fuzz uses genetic algorithms and compile-time instrumentation to discover test cases that trigger new internal states in the targeted binary (Zalewski, M., 2016).
  • Hodor Fuzzer – a general use fuzzer that can be configured to use known-good input and delimiters in order to fuzz specific locations.  It is designed to be a go between, being easier to use than a proper fuzzer that requires a lot of configuration (John, J., Hollembaek, B. and Arana, F., 2016 Aug. 30).
  • Sulley – a fuzzing framework and engine that consists of multiple extension-able components.  The developer’s goal is to simplify data representation, transmission and instrumentation.  Sulley not only focuses on data generation but also monitors the test target, capable of reverting to a good known state and automatically determine what unique sequence of test cases trigger faults (Sears, R., 2016 Oct. 17).

References:

Vulnerabilities Weekly Summary Ending December 2

Mozilla releases updates for Firefox, Firefox ESR and Thunderbird addressing a critical vulnerability

Mozilla released two updates for Firefox and one update for Firefox ESR and Thunderbird. The first update for Firefox addressing a vulnerability, CVE-2016-9078 that the URL can inherit wrong origin after HTTP redirect (2016 Nov. 28, “Mozilla Foundation Security Advisory 2016-91”).  The second update addresses a critical vulnerability (CVE-2016-9079) for Firefox, Firefox ESR, Thunderbird and also affecting Tor which is based off Firefox (2016 Dec. 1, “Mozilla Foundation Security Advisory 2016-92”).  It is a use after free vulnerability affecting SVG animation. It is reported that this zero-day is being exploited in the wild by using a crafted webpages with malicious JavaScript and SVG code.  The payload isn’t downloaded to disk to keep the footprint as minimal as possible, only shell code is ran directly on memory.  Once on memory the payload harvests the targeted system’s IP and MAC address and send it back to a remote server (Kovacs, E., 2016 Dec. 1).

CVE-2016-9078 – “Redirection from an HTTP connection to a

data:

URL assigns the referring site’s origin to the

data:

URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them”  (2016 Nov. 28, “Mozilla Foundation Security Advisory 2016-91”).

CVE-2016-9079 – “A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows” (2016 Dec. 1, “Mozilla Foundation Security Advisory 2016-92”).

Gooligan malware possible by exploiting vulnerabilities from two and three years ago

Cybersecurity firm Checkpoint have released a report about a new malware campaign targeting Android dubbed Gooligan. Over 1 million Androids are infected with the malware worldwide, with 13,000 new infections occurring daily.  The Gooligan malware infects an Android phone by users side-downloading unoffical applications (app).  After the bogus app is installed, it sends user data back to its command and control (C&C) servers.  Gooligan then downloads a rootkit from the C&C servers which exploit two Android vulnerabilities from two and three years ago; VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153) (Nov. 30, 2016,“More Than 1 Million Google Accounts Breached by Gooligan“). Patches for these two vulnerabilities have been available for years, but the fact that over a million Android devices are infected with them goes to show many users have not updated.  Below are details on those two vulnerabilities.

CVE-2013-6282 – “The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013” (CVE.MITRE.org).

CVE-2014-3153 – “The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification” (CVE.MITRE.org).

References

  • (2016 Nov. 28). “Mozilla Foundation Security Advisory 2016-91”. Mozilla. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/
  • (2016 Dec. 1).”Mozilla Foundation Security Advisory 2016-92″. Mozilla. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
  • Kovacs, E. (2016 Dec. 1).”Mozilla Patches Firefox Zero-Day Exploited to Unmask Tor Users”. Securityweek.com. Retrieved from http://www.securityweek.com/mozilla-patches-firefox-zero-day-exploited-unmask-tor-users
  • (Nov. 30, 2016).“More Than 1 Million Google Accounts Breached by Gooligan“. Checkpoint [Weblog]. Retrieved from http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

  • CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure

Vulnerabilities Weekly Summary Ending November 25

Network Time Protocol updated to v4.2.8p9; addresses ten vulnerabilities

Network Time Foundation, the maintainer of the Network Time Protocol (NTP) released a new version of the protocol which addresses ten vulnerabilities, one of which has been deemed critical which is detailed below (Graves, S., 2016 Nov. 21).  The update also added 28 non-security fixes and improvements.

  • CVE-2016-9312 – “If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is “too big”, ntpd will stop working” (Wassermann, G., 2016 Nov. 21).

Four file parsing vulnerabilities discovered in HDF5 File Library

Security researcher at Cisco Talos have discovered four vulnerabilities affecting HDF5 which is a data model, library and file format designed for storing and managing large and complex data collections (Chiu, A., 2016 Nov. 16).

  • CVE-2016-4330 – “A vulnerability exists in the way HDF fails to check the number of dimensions for an array read to verify the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution in the context of the application using the library” (Chiu, A., 2016 Nov. 16).
  • CVE-2016-4331 – “A buffer overflow vulnerability exists when the library is decoding data out of a dataset encoded with H5Z_NBIT. When calculating the precision of an encoded BCD number, the library will fail a bounds check leading the library to calculate an index outside the bounds of the space allocated for the BCD number. The library will then write outside the bounds of the buffer leading to a heap-based buffer overflow and possible code execution” (Chiu, A., 2016 Nov. 16).
  • CVE-2016-4332 – “A vulnerability exists due to the library’s failure to check if specific message types support a particular flag. When this flag is set, the library will cast the structure to an alternate structure and then assign to fields that aren’t supported by the message type. The message type is not able to support this flag and the library will write outside the bounds of the heap buffer, which can lead to code execution” (Chiu, A., 2016 Nov. 16).
  • CVE-2016-4333 – “a heap based buffer overflow which manifests in the the H5O_dtype_decode_helper routine when parsing an HDF file. Due to an inadequate handling of certain values in memory while the file is being parsed, a user who opens a specifically crafted HDF file could exploit this flaw and achieve code execution in the context of the application using the library” (Chiu, A., 2016 Nov. 16).

Ragentek Android Over-the-Air (OTA) update vulnerable to Man-in-the-Middle (MITM) Attack

Ragentek Group a Chinese software company which created a custom version of Android for use on devices didn’t use an encrypted channel for transactions from the binary to the third-party endpoint, which if exploited could allow a remote attacker to execute arbitrary code with root privileges.  This vulnerability could affect over 2 million Android devices (Arghire, I., 2016 Nov. 18).

  • CVE-2016-6564 – “Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
    Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root”  (Novelly, T., 2016 Nov. 17)

Four vulnerabilities addressed in Palo Alto Networks’ PAN-OS operating system

A security researcher, Tavis Ormandy has discovered two vulnerabilities that affect the PAN-OS.  The first of which had been deemed “medium” priority because if exploited can only allows remote code execution as an unprivileged user; however the other vulnerability is more critical, that if exploited can result in remote code execution with root privileges (Kovacs, E., 2016 Nov. 21). These two vulnerabilities are listed below. Additionally two other low priority vulnerabilities were also addressed by Palo Alto Networks, a OpenSSH vulnerability (2016 Nov. 17, “OpenSSH Vulnerability: PAN-SA-2016-0036“) and a XPath Injection vulnerability (2016 Nov. 17, “XPath Injection PAN-SA-2016-0037“). Palo Alto Networks has released patches to fix all four of vulnerabilities.

  • CVE-2016-9150 – “Palo Alto Networks web management server improperly handles a buffer overflow. An attacker with network access to the management web interface may be able to perform a remote code execution (RCE) or denial-of-service (DoS)” (2016 Nov. 17, “Buffer Overflow in the Management Web Interface: PAN-SA-2016-0035“).
  • CVE-2016-9151 – “Palo Alto Networks firewalls do not properly validate certain environment variables…A potential attacker with local shell access could manipulate arbitrary environment variables which could result in a process running with higher privileges” (2016 Nov. 17, “Local Priviledge Escalation: PAN-SA-2016-0034″). 

References:

  • (2016 Nov. 17). “Local Priviledge Escalation: PAN-SA-2016-0034″. Palo Alto Networks. https://securityadvisories.paloaltonetworks.com/Home/Detail/67
  • (2016 Nov. 17). “Buffer Overflow in the Management Web Interface: PAN-SA-2016-0035“. Palo Alto Networks. Retrieved from https://securityadvisories.paloaltonetworks.com/Home/Detail/68
  • (2016 Nov. 17). “OpenSSH Vulnerability: PAN-SA-2016-0036“. Palo Alto Networks. Retrieved from https://securityadvisories.paloaltonetworks.com/Home/Detail/69
  • (2016 Nov. 17). “XPath Injection PAN-SA-2016-0037“. Palo Alto Networks. Retrieved from https://securityadvisories.paloaltonetworks.com/Home/Detail/70
  • Arghire, I. (2016 Nov. 18). “Over-the-Air Update Mechanism Exposes Millions of Android Devices“. SecurityWeek.com. Retrieved from http://www.securityweek.com/over-air-update-mechanism-exposes-millions-android-devices
  • Chiu, A. (2016 Nov. 16). “Vulnerability Spotlight: Multiple File Parsing Bugs in HDF5 File Library Patched“. Cisco Talos [Weblog]. Retrieved from http://blog.talosintel.com/2016/11/hdf5-vulns.html
  • Graves, S. (2016 Nov. 21). “Network Time Foundation Publishes NTP 4.2.8p9“. Network Time Foundation. Retrieved from http://nwtime.org/ntp428p9_release/
  • Kovacs, E. (2016 Nov. 21). “Palo Alto Networks Patches Flaws Found by Google Researcher“. SecurityWeek.com. Retrieved from http://www.securityweek.com/palo-alto-networks-patches-flaws-found-google-researcher
  • Novelly, T. (2016 Nov. 17). “Vulnerability Note VU#624539: Ragentek Android OTA update mechanism vulnerable to MITM attack“. Vulnerability Notes Database. Retrieved from http://www.kb.cert.org/vuls/id/624539
  • Wassermann, G. (2016 Nov. 21). “Vulnerability Note VU#633847: NTP.org ntpd contains multiple denial of service vulnerabilities“.  Vulnerability Notes Database. Retrieved from http://www.kb.cert.org/vuls/id/633847

 

 

 

Vulnerabilities Weekly Summary Ending November 18

VMWare releases updates for three vulnerabilities; REST API DoS, out-of-bounds memory vulnerability and local privilege escalation in Linux kernel

This week VMWare released two updates for two different vulnerabilities.  First one affects vRealize Operations in its REST API implementation.  If exploited, the vulnerability can cause a denial of service (DoS) by allowing the writing of files with content and moving existing files into certain folders.

CVE-2016-7462 – “vRealize Operations contains a deserialization vulnerability in its REST API implementation. This issue may result in a Denial of Service as it allows for writing of files with arbitrary content   and moving existing files into certain folders. The name format of the destination files is predefined and their names cannot be  chosen. Overwriting files is not feasible” (2016 Nov. 15, “VMSA-2016-0020“).

Second vulernability affects the drag-and-drop function in VMWare Workstation/Player and Fusion.  The vulnerability is caused by out of bounds memory access and if exploited can allow a guest to execute code on the host operating system.  A work around for the vulnerability exists in Workstation and Fusion; if the drag-and-drop and copy-and-paste functions are disabled the vulnerability cannot be exploited.  However this doesn’t work in Player and it could still be exploited (Kovac, E., 2016 Nov. 14).  Either way the best way to ensure you are protected is to update.

CVE-2016-7461 – “VMware Workstation and Fusion out-of-bounds memory access vulnerability. The drag-and-drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion” (2016 Nov. 11, “VMSA-2016-0019“).
Also last week VMWare also released an update for the local privilege escalation vulnerability in Linux kernel. The vulnerability, dubbed “Dirty COW” allows local attackers to escalate their privileges on the targeted system by modifying existing setuid files (Kovac, E., 2016 Oct. 20).  Many of VMWare’s products are built upon the Linux kernel but only VMWare’s Identity Manager and vRealize are affected by it (2016 Nov. 9, “VMSA-2016-0018.1“). Successful exploitation of the vulnerability may allow for local privilege escalation.
CVE-2016-5195 – “Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka ‘Dirty COW'” (CVE.MITRE.org)

Mozilla releases Firefox 50, addressing 27 vulnerabilities

Three of the vulnerabilities were deemed high “critical”, which are listed below.  The other 24 were between high and low risk (2016 Nov. 15, “Security vulnerabilities fixed in Firefox 50“).  Of the three critical ones, probably the most severe one was CVE-2016-5296, which caused a Heap-buffer-overflow WRITE in Cairo when processing SVG content and if exploited could cause a crash.  Besides the vulnerability fixes, Firefox 50 also brings some new security features, such as Download Protection, powered  by Google’s Safe Browsing API, which scans the executable files downloaded to check for malicious signatures (Arghire, I., 2016 Nov. 16).

CVE-2016-5296 – “A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash” (2016 Nov. 15, “Security vulnerabilities fixed in Firefox 50“).

CVE-2016-5289 – “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code” (2016 Nov. 15, “Security vulnerabilities fixed in Firefox 50“).

CVE-2016-5290 – “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code” (2016 Nov. 15, “Security vulnerabilities fixed in Firefox 50“).

Symantec announces security advisory for DLL Loading vulnerability affecting its Enterprise Products

Symantec released updates to address a DLL loading issue that affects Symantec IT Management Suite (ITMS), Symantec Ghost Solution Suite (GSS), and Symantec Endpoint Virtualization (SEV) (2016 Nov. 15, “Security Advisories Relating to Symantec Products – DLL Loading Issue in Symantec Enterprise Products“).

CVE-2016-6590 – “an authorized but non-privileged user could potentially leverage this issue to execute arbitrary code with elevated privileges on the system. Ultimately, this problem is caused by a failure to use an absolute path when loading DLLs during product boot up/reboot. This can cause default DLL search logic to be followed and creates the potential for an unauthorized execution of a specifically-crafted DLL substituted for the authorized DLL in the search path. If successfully accomplished, the user’s code could potentially execute with the elevated privileges of the application” (2016 Nov. 15, “Security Advisories Relating to Symantec Products – DLL Loading Issue in Symantec Enterprise Products“).

References:

  • (2016 Nov. 9). “VMSA-2016-0018.1“. VMWare, Inc. Retrieved from http://www.vmware.com/security/advisories/VMSA-2016-0018.html
  • (2016 Nov. 13). “VMSA-2016-0019“. VMWare, Inc. Retrieved from https://www.vmware.com/security/advisories/VMSA-2016-0019.html
  • (2016 Nov. 15). “VMSA-2016-0020“. VMWare, Inc. Retrieved from http://www.vmware.com/security/advisories/VMSA-2016-0020.html
  • (2016 Nov. 15). “Security vulnerabilities fixed in Firefox 50“.  Mozilla Foundation. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
  • (2016 Nov. 15). “Security Advisories Relating to Symantec Products – DLL Loading Issue in Symantec Enterprise Products“. Symantec Inc. Retrieved from https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20161115_00
  • Arghire, I. (2016 Nov. 16). “Firefox 50 Patches 27 Vulnerabilities”. SecurityWeek.com. Retrieved from http://www.securityweek.com/firefox-50-patches-27-vulnerabilities
  • Kovac, E.  (2016 Nov. 14). “Hackers Find Code Execution Flaw in VMware Workstation“. SecurityWeek.com. Retrieved from http://www.securityweek.com/hackers-find-code-execution-flaw-vmware-workstation
  • Kovac, E. (2016 Oct. 20). “‘Dirty COW’ Linux Kernel Exploit Seen in the Wild”. SecurityWeek.com. Retrieved from http://www.securityweek.com/dirty-cow-linux-kernel-flaw-exploit-seen-wild
  • CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure

Current Vulnerability Trends

Increased Adobe Flash Vulnerabilities Exploitation

In 2015 Adobe Flash was among the most exploited application (2016 Feb., “HPE Security Research: Cyber Risk Report 2016“).  Among the most exploited Adobe vulnerabilities were the major zero-day vulnerabilities: CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123 (Kerbs, B., 2015 Jul. 15).  Just days after CVE-2015-5119 was announced, it was found in seven exploitation kits: Angler, Neutrino, Nuclear Pack, Magnitude, RIG, Hanjuan and Nullhole (Kafeine, 2015 Jul. 7) (Li, B., 2015 Jul. 7).  CVE-2015-5122 was also found in six exploit kits: Angler, Neutrino, Nuclear Pack, RIG, Magnitude and Nullhole (Kafeine, 2015 Jul. 11).  Only CVE-2015-5123 was not found in any kits, though the exploit code is out and could potentially appear in kits in the future.

Due to the severity and the availability of the exploit kits, may vendors who use Adobe Flash on their websites were forced to temporarily block it to prevent their customers to be affected (2016, “2016 Cyberthreat and Trends Report“).  Likewise browser giants Google Chrome and Mozilla Firefox decided to just block the older version of Adobe Flash altogether to better protect their customers (Woollaston, V., 2015 Jul. 14). Building on top of that both Mozilla and Google Chrome both announced this past summer that they will drop support for Adobe Flash altogether, citing security concerns (Smedberg, B., 2016 Jul. 26) (LaForge, A., 2016 Aug. 9).  Instead they will move on to HTML5 which is more secure and efficient.

With the rise of Adobe Flash exploits this may have caused the previously fequent Java exploits to be on the decline, as reported by Microsoft in their “2016 Trends in Cybersecurity” report.  According to Microsoft the top Java vulnerabilities, CVE-2012-1723, CVE-2010-0840, CVE-2012-0507 and CVE-2013-0422 have all saw a decrease use in 2015 as detected by Microsoft’s anti-malware products (Microsoft, 2016).  HP also reported similar information, stating that “Although several vulnerabilities in JRE were discovered in 2015, none of them allowed remote code execution which lowers the interest of malware attackers in Java. Combine this with the fact that many people learned how to disable Java from running within a web browser environment, and it is easy to understand why Java fell in 2015” (Hewlett-Packard Enterprise, 2016).  Cybercriminals may now be relying more on Adobe Flash’s vulnerabilities to deliver malware instead of Java.

Windows Still the Most exploited Platform; But Not Most Exploited Software

According to Hewlett Packard Enterprise’s Cyber Risk Report 2016, the Windows family of operating systems are still most exploited platforms with 42% of the top 20 exploits being targeted to Windows (Hewlett-Packard Enterprise, 2016).  Likewise Windows is the platform that has the most malware, with 94% and Android a distant second. Focusing on Windows malware, worms and virus such as Allaple and Elkern are among the top malware families affecting Windows.  Allaple is polymorphic worm discovered more than eight years ago that affects HTML files.  Likewise, Elkern is a virus that was discovered more than ten years ago and mostly was nuisance worm, overwriting and deleting files.  The fact that the top two malware affecting Windows are worms and viruses from eight to ten years ago shows that patching machines are still very much a problem  (Hewlett-Packard Enterprise, 2016).

Despite Windows being the most exploited platform, it is not the most exploited family of software.  According to Microsoft, vulnerabilities to the core Windows operating system only accounted for a little under a 1000 vulnerabilities in the second half of 2015.  In contrast, software applications that were not created by Microsoft accounted for about 1500 vulnerabilities in the same time frame (Microsoft, 2016 May 5).  According to Microsoft in their “2016 Trends in Cybersecurity” report, most IT departments concentrate on patching operating systems but as seen in the numbers they account for a minimal amount of vulnerabilities when compared to applications.  IT departments need to spend time assessing and patching software applications or they will miss a lot of potential harmful ways their systems could be exploited via these applications (Microsoft, 2016).  According to HP, Adobe PDF and HTML maybe the most widely exploited software, at least when being exploited via web or email (Hewlett-Packard Enterprise, 2016).

Number of critical vulnerabilities up; Insecure Transport and Privacy Violations vulnerabilities were most seen

According to Microsoft, in their “Security Intelligence Report”, they reported that a little under 1,500 “high- critical” priority vulnerabilities in the second half of 2015, up from previous years. Similarity, over 1,800 vulnerabilities reported in the second half of 2015 were considered “low complexity” or in other words, they are not very complex so they are easy to exploit, making them more critical.  This figure too was up from previous years (Microsoft, 2016 May 5).

According to Hewlett-Packard’s (HP) “Cyber Risk Report 2016”, the top most widely seen vulnerabilities were categorized into different categories and the top two categories were “System Information Leak: External” and “Insecure Transport: Hypertext Transfer Protocol Shared Transport Security (HSTS) not set”.  “System information leak: external” is when too-detailed error messages leak system data that might help attackers gain dangerous visibility into the system.  “Insecure transport: HSTS not being set”, is when HSTS which is used to counter against man-in-the-middle (MitM) attacks over Secure Socket Layer/ Transport Layer Security (SSL/TLS) is not set up.  With HSTS not setup attacks such as downgrade and cookiejacking can occur.  Despite these two categories of vulnerabilities being the most seen, they are not the top critical vulnerabilities seen. HP also went through the most critical vulnerabilities that had occurred the most and also categorized them. The top two most critical categories were “Insecure Transport: Weak SSL Protocol” and “Privacy Violations”.  Insecure Transport: Weak SSL Protocol is mostly due to two SSL/TSL vulnerabilities from late in 2014, CVE-2014-3566 and CVE-2014-8730, also known as the POODLE attack, which take advantage of the old SSL v3 weaknesses (Moller, B. et al, 2014).  Many developers may still continue to use weak SSL protocols and ciphers in 2016 because they are backwards compatible, albeit the security risks are obvious. As for the privacy violations, one easy to prevent but still commonly occurring reason for it being a top critical vulnerability is because almost 10% of applications make use of hard-coded passwords (Hewlett Packard Enterprise, 2016).

References:

  • Hewlett-Packard Enterprise. (2016 Feb.). “HPE Security Research: Cyber Risk Report 2016“. Hewlett Packard Enterprise Development LP. Retrieved from http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/
  • Kafeine. (2015 Jul. 7). “CVE-2015-5119 (HackingTeam 0d – Flash up to 18.0.0.194) and Exploit Kits“. Malware don’t need
    Coffee [Weblog].  Retrieved from http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html
  • Kafeine. (2015 Jul. 11). “CVE-2015-5122 (HackingTeam 0d – Flash up to 18.0.0.194) and Exploit Kits“. Malware don’t need
    Coffee [Weblog]. Retrieved from http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
  • Li, B. (2015 Jul. 7). “Hacking Team Flash Zero-Day Integrated Into Exploit Kits“. TrendLabs Security Intelligence Blog [Weblog]. TrendMicro, Inc. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/
  • Kerbs, B. (2015 Jul. 15) “Third Hacking Team Flash Zero-Day Found“. Krebs on Security [Weblog]. Retrieved from https://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/
  • Verisign. (2016). “2016 Cyberthreat and Trends Report“. Verisign, Inc. Retrieved from https://www.verisign.com/en_US/forms/reportcyberthreatstrends.xhtml
  • Microsoft. (2016). “2016 Trends in Cybersecurity”. Microsoft Corporation. Retrieved from https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-cybersecurity.pdf
  • Microsoft. (2016 May 5). “Microsoft Security Intelligence Report Volume 20: Key Findings”. Microsoft Corporation. Retrieved from https://www.microsoft.com/security/sir/default.aspx
  • Woollaston, V. (2015 Jul. 14) “Google and Mozilla pull the plug on Adobe Flash: Tech giants disable the program on browsers following ‘critical’ security flaw”. Daily Mail [Newspaper]. Associated Newspapers Ltd. Retrieved from http://www.dailymail.co.uk/sciencetech/article-3160644/Google-Mozilla-pull-plug-Adobe-Flash-Tech-giantsdisable-
    program-browsers-following-critical-security-flaw.html
  • Smedberg, B. (2016 Jul. 26). “Reducing Adobe Flash Usage in Firefox”. Mozilla Foundation. Retrieved from https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/
  • Moller, B., Duong, T., Kotowicz, K. (2014 Sept). “This POODLE Bites: Exploiting The SSL 3.0 Fallback“. OpenSSL. Retrieved from https://www.openssl.org/%7Ebodo/ssl-poodle.pdf
  • LaForge, A. (2016 Aug. 9). “Flash and Chrome“. Google Chrome Blog [Weblog]. Alphabet Inc. Retrieved from https://chrome.googleblog.com/2016/08/flash-and-chrome.html

Vulnerabilities Weekly Summary Ending November 11

This week is Microsoft’s Patch Tuesday Security Bulletin includes fixes for two zero days and also Adobe released it’s security bulletin for the month to coincide with Microsoft’s.

Microsoft Security Bulletin (Patch Tuesday) for the month of November

Microsoft’s security bulletin for month has been released and as usual fixes many vulnerabilities.  Below are a list of the vulnerabilities deemed critical (2016 Nov. 8, “Microsoft Security Bulletin Summary for November 2016“).  This includes a zero-day, CVE-2016-7255 that is currently being exploited in the wild and was reported to Microsoft by Google back in October (Kovacs, E., 2016 Nov. 8). CVE-2016-7255 is currently being exploited by spear phishing attack originating from APT28 located in Russia (Kovacs, E., 2016 Nov. 2).  Another zero-day that is also being exploited is CVE-2016-7256 which is due to to the way the Windows font library handles specially crafted embedded fonts (Kovacs, E., 2016 Nov. 8).  Again the updates released in this bulletin fix these vulnerabilities so be sure install the updates.

  • Microsoft Edge
    • CVE-2016-7195 – Microsoft Browser Memory Corruption Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-129 – Critical“).
    • CVE-2016-7196 – Microsoft Browser Memory Corruption Vulnerability
    • CVE-2016-7198 – Microsoft Browser Memory Corruption Vulnerability
    • CVE-2016-7199 – Microsoft Browser Information Disclosure Vulnerability
    • CVE-2016-7200 – Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7201 – Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7202 – Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7203 – Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7204 – Microsoft Edge Information Disclosure Vulnerability
    • CVE-2016-7208 – Scripting Engine Memory Corruption Vulnerability
  • Microsoft Internet Explorer
    • CVE-2016-7195 – Microsoft Browser Memory Corruption Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-142 – Critical“).
    • CVE-2016-7196 – Microsoft Browser Memory Corruption Vulnerability
    • CVE-2016-7198 – Microsoft Browser Memory Corruption Vulnerability
    • CVE-2016-7241 – Microsoft Browser Memory Corruption Vulnerability
  • Microsoft Windows
    • CVE-2016-7212 – Windows Remote Code Execution Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-130 – Critical“).
  • Microsoft Video Control
    • CVE-2016-7248 – Microsoft Video Control Remote Code Execution Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-131 – Critical”).
  • Microsoft Graphics Component
    •  CVE-2016-7205  – Windows Animation Manager Memory Corruption Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-131 – Critical”).
    • CVE-2016-7256 – Open Type Font Remote Code Execution Vulnerability
  • Windows Kernel-Mode Drivers
    • CVE-2016-7255 – Win32k Elevation of Privilege Vulnerability (2016 Nov. 8, “Microsoft Security Bulletin MS16-135 – Important”).

Adobe Security Bulletin for the month of November

Adobe released security bulletins for Adobe Flash Player (2016 Nov. 8, “Security updates available for Adobe Flash Player”) and Adobe Connect addressing mostly  resolve-type-confusion and use-after-free vulnerabilities.

Adobe Flash Player:

  • CVE-2016-7857 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7858 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7859 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7860 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7861 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7862 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7863 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7864 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7865 – resolve type confusion vulnerabilities that could lead to code execution
  • CVE-2016-7857 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-7858 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-7859 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-7862 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-7863 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-7864 – use-after-free vulnerabilities that could lead to code execution

Adobe Connect:

  • CVE-2016-7851 – input validation vulnerability in the events registration module that could be used in cross-site scripting attacks

References

  • (2016 Nov. 8). “Microsoft Security Bulletin Summary for November 2016“. Microsoft Corp. Retrieved from https://technet.microsoft.com/en-us/library/security/ms16-nov
  • (2016 Nov. 8). “Microsoft Security Bulletin MS16-129 – Critical“. Microsoft Corp. Retrieved https://technet.microsoft.com/library/security/MS16-129
  • (2016 Nov. 8). “Microsoft Security Bulletin MS16-142 – Critical“. Microsoft Corp. Retrieved https://technet.microsoft.com/library/security/MS16-142
  • (2016 Nov. 8). “Microsoft Security Bulletin MS16-130 – Critical“. Microsoft Corp. Retrieved https://technet.microsoft.com/library/security/MS16-130
  • (2016 Nov. 8). “Microsoft Security Bulletin MS16-131 – Critical”. Microsoft Corp. Retrieved https://technet.microsoft.com/library/security/MS16-131
  • (2016 Nov. 8). “Microsoft Security Bulletin MS16-135 – Important”. Microsoft Corp. Retrieved https://technet.microsoft.com/library/security/MS16-135
  • Kovacs, E. (2016 Nov. 8). “Microsoft Patches Windows Zero-Day Exploited by Russian Hackers“. Securityweek.com. Wired Business Media. Retrieved from http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
  • Kovacs, E. (2016 Nov. 2). “Windows Zero-Day Exploited by Russia-Linked Cyberspies“. Securityweek.com. Wired Business Media. Retrieved from http://www.securityweek.com/windows-zero-day-exploited-russia-linked-cyberspies
  • (2016 Nov. 8). “Security updates available for Adobe Flash Player”. Adobe Systems Inc. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb16-37.html
  • (2016 Nov. 8). “Security updates available for Adobe Connect”. Adobe Systems Inc. Retrieved from https://helpx.adobe.com/security/products/connect/apsb16-35.html
  • CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure

Vulnerabilities Weekly Summary Ending November 4

This week Cisco released security advisories addressing 10 vulnerabilities, including 4 critical or high priority ones. Internet Systems Consortium (ISC) released an update to address a vulnerability with BIND and Google Chrome released version 54.0.2840 of their browser which fixes vulnerabilities.

Cisco Security Advisories for ASR 900, Prime Home and Meeting Server

Cisco released security advisories for 10 vulnerabilities; including 4 deemed critical or high priority. Cisco ASR 900 Series routers suffers from a vulnerability that if exploited could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on the device.  Cisco Prime Home web GUI suffers from an authentication bypass vulnerability that if exploited could allow an unauthenticated remote attacker to bypass authentication and be granted full admin privileges.  Cisco Meeting Server suffer from two vulnerabilities; one affects the SDP parser the other is a buffer overflow vulnerability, both of which could allow a remote attacker to execute arbitrary code on the server.  Below are a list of these and other vulnerabilities from the advisories:

CVE-2016-6441 – “A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 Series routers could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system.  The vulnerability exists because the affected software performs incomplete bounds checks on input data. An attacker could exploit this vulnerability by sending a malicious request to the TL1 port, which could cause the device to reload. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system” (2016 Nov. 2,”Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability“).

CVE-2016-6452 – “A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the affected software performs incomplete input validation of the size of media lines in session descriptions. An attacker could exploit this vulnerability by sending crafted packets to the SDP parser on an affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on an affected system, which could allow the attacker to execute arbitrary code on the system” (2016 Nov. 2, “Cisco Prime Home Authentication Bypass Vulnerability“).

CVE-2016-6448 – “A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the affected software performs incomplete input validation of the size of media lines in session descriptions. An attacker could exploit this vulnerability by sending crafted packets to the SDP parser on an affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on an affected system, which could allow the attacker to execute arbitrary code on the system” (2016 Nov. 2, “Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability“).

CVE-2016-6447 – “A vulnerability in Cisco Meeting Server and Meeting App could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the software does not perform sufficient boundary checks on user-supplied data. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted IPv6 input to the vulnerable function. A successful exploit could result in an exploitable buffer underflow condition. An attacker could leverage this buffer underflow condition to incorrectly allocate memory and cause a reload of the device or execute arbitrary code with the privileges of the affected application” (2016 Nov. 2, “Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability”).

CVE-2016-6459 – “Cisco TelePresence endpoints running either CE or TC software contain a vulnerability that could allow an authenticated, local attacker to execute a local shell command injection.  The vulnerability is due to incomplete input sanitization of some commands. An attacker could exploit this vulnerability by executing local shell commands with commands injected as parameters. An exploit could allow the attacker to retrieve full information from the device including private keys” (2016 Nov. 2, “Cisco TelePresence Endpoints Local Command Injection Vulnerability”).

CVE-2016-6457 – “A vulnerability in the Cisco Nexus 9000 Series Platform Leaf Switches for Application Centric Infrastructure (ACI) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the affected device.  The vulnerability is due to improper handling of a type of Layer 2 control plane traffic. An attacker could exploit this vulnerability by sending crafted traffic to a host behind a leaf switch. An exploit could allow the attacker to cause a DoS condition on the affected device” (2016 Nov. 2, “Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability”).

CVE-2016-6458 – “A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass content filters configured on an affected device. Email that should have been filtered could instead be forwarded by the device.  The vulnerability is due to incorrect validation of protected or encrypted email attachments that are Roshal Archive (RAR) format files. An attacker could exploit this vulnerability by sending an email message that has a crafted RAR file attachment through an affected device. A successful exploit could allow the attacker to bypass content filters that are configured to detect and act upon protected or encrypted email attachments” (2016 Nov. 2 “Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability”).

CVE-2016-6455 – “A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series routers with Data Processing Card 2 (DPC2) could allow an unauthenticated, remote attacker to cause a subset of the subscriber sessions to be disconnected, resulting in a partial denial of service (DoS) condition.  The vulnerability is due to improper processing during the handoff of reassembled IPv4 or IPv6 packets. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments across the ASR 5500 Series router. An exploit could allow the attacker to cause an instance of the sessmgr service on the affected device to reload. A reload of the sessmgr service will cause all subscriber sessions serviced by that task to be disconnected, resulting in a denial of service (DoS) condition” (2016 Nov. 2, “Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability”).

CVE-2016-6360 – “A vulnerability in Advanced Malware Protection (AMP) for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to the AMP process unexpectedly restarting.  The vulnerability is due to improper validation of a Java Archive (JAR) file that is scanned when AMP is configured. An attacker could exploit this vulnerability by crafting a JAR file and attaching this JAR file to an email that is then sent through the ESA, or allowing the JAR file to be download from the web through the WSA. An exploit could allow the attacker to cause the Cisco ESA and WSA AMP process to unexpectedly restart due to the malformed JAR file” (2016 Nov. 2, “Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability”).

The Internet Systems Consortium release updates that address a vulnerability in BIND

The Internet Systems Consortium (ISC) has released updates that address a vulnerability in BIND.

CVE-2016-8864 “A defect in BIND‘s handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.  During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c (error message: “INSIST((valoptions & 0x0002U) != 0) failed”) or db.c (error message: “REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed”).  A server encountering either of these error conditions will stop, resulting in denial of service to clients.  The risk to authoritative servers is minimal; recursive servers are chiefly at risk” (McNally, M., 2016 Nov. 1).

Chrome releases update 54.0.2840 addressing vulnerabilities

Chrome released an update to Chrome, 54.0.2840.87 for Windows, Mac, and 54.0.2840.90 for Linux.  As of now only one vulnerability has been disclosed from this update.

CVE-2016-5198 – “Out of bounds memory access in V8” (2016 Nov. 1, “Stable Channel Update for Desktop”).

References:

(2016 Nov. 2). “Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1

(2016 Nov. 2). “Cisco Prime Home Authentication Bypass Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph

(2016 Nov. 2). “Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1

(2016 Nov. 2). “Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms

(2016 Nov. 2). “Cisco TelePresence Endpoints Local Command Injection Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tp

(2016 Nov. 2). “Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-n9kapic

(2016 Nov. 2). “Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-esa

(2016 Nov. 2). “Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-asr

(2016 Nov. 2). “Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa3

McNally, M. (2016 Nov. 1). “CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure”. Internet Systems Consortium.  Retrieved from https://kb.isc.org/article/AA-01434/0

(2016 Nov. 1). “Stable Channel Update for Desktop”. Google Chrome. Alphabet, Inc. Retrieved from https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop.html

Vulnerabilities Weekly Summary Ending October 28

Cisco Security Advisories focusing on WebEx and Email Security Appliance

Cisco has once again announced a lot of security advisories, below are the ones deemed most critical.  Once again WebEx Meeting is one of Cisco’s products that has a critical vulnerability being addressed.  As noted before, web conferencing is an attractive target to some attackers, so WebEx free of vulnerabilities is probably a priority for Cisco.  Also note that there are nine vulnerabilities addressed for Cisco’s Email Security Appliance (ESA). The ESA is a critical security appliance that provides defense against incoming email delivered threats such as phising, spam and sandboxing analysis and also encrypts outbound email.  Obviously if vulnerabilities to this critical appliance were exploited an attacker can cause disruptions to the protected network systems, so Cisco is quick to fix any flaws to it.

CVE-2016-1464 – “A vulnerability in Cisco WebEx Meetings Player could allow an unauthenticated, remote attacker to execute arbitrary code.  The vulnerability is due to improper handling of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious WRF file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user” (2016 Oct. 26, “Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability”).

CVE-2016-6453 – “A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database.  The vulnerability is due to insufficient controls on Structured Query Language (SQL) statements. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database.” (2016 Oct. 26, “Cisco Identity Services Engine SQL Injection Vulnerability“).

CVE-2016-5195 – “vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system ” (2016 Oct. 26, “Vulnerability in Linux Kernel Affecting Cisco Products: October 2016“).

CVE-2016-1481 – ” vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” (2016 Oct. 26, “Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability”).

See US-CERT’s posting for the complete listing of Cisco’s security advisories for this week (2016 Oct. 26,”Cisco Releases Security Updates for Multiple Products“).

Adobe Flash Security Bulletin for critical vulnerability

Adobe released a bulletin to fix a critical vulnerability.  It is being reported that this vulnerability exists in the wild and is being exploited, albeit in limited attacks on the Windows platform.  The update that fixes this vulnerability is for Windows, macOS and Linux platforms.

CVE-2016-7855 – “use-after-free vulnerability that could lead to code execution” (2016 Oct. 26,  “Security updates available for Adobe Flash Player”).

References:

(2016 Oct. 26). “Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player

(2016 Oct. 26). “Cisco Identity Services Engine SQL Injection Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-ise

(2016 Oct. 26). “Vulnerability in Linux Kernel Affecting Cisco Products: October 2016“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux

(2016 Oct. 26). “Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esa1

(2016 Oct. 26).  “Security updates available for Adobe Flash Player“. Adobe Systems Inc. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

(2016 Oct. 26). “Cisco Releases Security Updates for Multiple Products“. US-CERT. https://www.us-cert.gov/ncas/current-activity/2016/10/26/Cisco-Releases-Security-Updates-Multiple-Products

CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure

Vulnerabilities Weekly Summary Ending October 21

Cisco Security Advisories for Cisco ASA, Firepower and Meeting Server

Cisco announced five security advisories addressing vulnerabilities affecting their Advance Security Appliance (ASA), Cisco Firepower software and Cisco Meeting Server.  Vulnerability CVE-2016-6432 has been deemed critical, affecting the Firewall of the Cisco ASA which if exploited could allow an unauthenticated, remote attacker to remotely execute code.  On an opinionated note there seems to be a lot of vulnerabilities fixes for Cisco ASA devices, it’s good to know that these vulnerabilities are quickly being found and fixed before it could be exploited in the wild.  It’s expected Cisco would quickly find and fix these vulnerabilities for their ASA as it is one of their best selling products (Kuranda, S., 2015).

CVE-2016-6432 – “A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.  The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system” (2016 Oct. 19 “Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability“).

CVE-2016-6439 – “A vulnerability in the detection engine reassembly of HTTP packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process unexpectedly restarting. The vulnerability is due to improper handling of an HTTP packet stream. An attacker could exploit this vulnerability by sending a crafted HTTP packet stream to the detection engine on the targeted device. An exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or traffic is dropped” (2016 Oct. 19, “Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability“).

CVE-2016-6431 – “A vulnerability in the local Certificate Authority (CA) feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of crafted packets during the enrollment operation. An attacker could exploit this vulnerability by sending a crafted enrollment request to the affected system. An exploit could allow the attacker to cause the reload of the affected system” (2016 Oct. 19 “Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability“).

CVE-2016-6446 – “A vulnerability in Web Bridge for Cisco Meeting Server could allow an unauthenticated, remote attacker to retrieve memory from a connected server.  The vulnerability is due to missing bounds checks in the Web Bridge functionality. An attacker could exploit this vulnerability by sending a crafted packet to the affected server. An exploit could allow the attacker to disclose a portion of memory from the server for every packet. The disclosed portions of memory could contain sensitive information such as private keys or passwords” (2016 Oct. 19 “Cisco Meeting Server Information Disclosure Vulnerability“).

CVE-2016-6444 – “A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a Web Bridge user.  The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow an attacker to submit arbitrary requests to the affected device via the Web Bridge with the privileges of the user” (2016 Oct. 19 “Cisco Meeting Server Cross-Site Request Forgery Vulnerability“).

Oracle Critical Patch Update for October 2016

Oracle released its Critical Patch Update for October 2016.  This update is a collection of patches that addresses 247 vulnerabilities for multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.  Below are a list of the vulnerabilities that have a high priority impact (CVSS score of 9 or higher):

  • CVE-2016-5555 – “Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows high privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Database Server“).
  • CVE-2015-3253 – “The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object” (CVE.MITRE.org).
  • CVE-2016-3551 – “Vulnerability in the Oracle Web Services component of Oracle Fusion Middleware (subcomponent: JAXWS Web Services Stack). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services. Successful attacks of this vulnerability can result in takeover of Oracle Web Services” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Fusion Middleware“).
  • CVE-2015-7501 – “Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Fusion Middleware”).
  • CVE-2016-5535 – “Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Fusion Middleware”).
  • CVE-2016-5531 – “Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS-WebServices). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Fusion Middleware”).
  • CVE-2016-5599 – “Vulnerability in the Oracle Advanced Supply Chain Planning component of Oracle Supply Chain Products Suite (subcomponent: MscObieeSrvlt). Supported versions that are affected are 12.2.3, 12.2.4 and 12.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Supply Chain Planning. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Supply Chain Planning accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Supply Chain Planning accessible data” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Supply Chain Products Suite“).
  • CVE-2015-3253 – “The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object” (CVE.MITRE.org).
  • CVE-2016-5556 – “Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Java SE“).
  • CVE-2016-5568 – “Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Java SE“).
  • CVE-2016-5582 – “Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Java SE“).
  • CVE-2016-5580 – “Vulnerability in the Secure Global Desktop component of Oracle Virtualization (subcomponent: Web Services). Supported versions that are affected are 4.7 and 5.2. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Secure Global Desktop. While the vulnerability is in Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Secure Global Desktop accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Secure Global Desktop” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Virtualization“).
  • CVE-2016-5605 – “Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: VirtualBox Remote Desktop Extension (VRDE)). The supported version that is affected is VirtualBox prior to 5.1.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data” (2016 Oct. 18, “Text Form of Risk Matrix for Oracle Virtualization“).

References:

  • Kuranda, S. (2015 May 7). “Top 10 Best-Selling Network Security Products In Q1 2015”.  The Channel Company, Inc. Retrieved from http://www.crn.com/slide-shows/security/300076761/10-best-selling-network-security-products-in-q1-2015.htm/pgno/0/1
  • (2016 Oct. 19). “Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161019-asa-idfw
  • (2016 Oct. 19). “Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161019-fpsnort
  • (2016 Oct. 19). “Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161019-asa-ca

  • (2016 Oct. 19). “Cisco Meeting Server Information Disclosure Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161019-cms1
  • (2016 Oct. 19). “Cisco Meeting Server Cross-Site Request Forgery Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161019-cms
  • (2016 Oct. 18). “Oracle Critical Patch Update Advisory – October 2016″. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

  • (2016 Oct. 18). “Text Form of Risk Matrix for Oracle Database Server. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#DB
  • (2016 Oct. 18). “Text Form of Risk Matrix for Oracle Fusion Middleware. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#FMW
  • (2016 Oct. 18). “Text Form of Risk Matrix for Oracle Supply Chain Products Suite. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#SCP
  • (2016 Oct. 18). “Text Form of Risk Matrix for Oracle Java SE. Oracle Corp. Retrieved from http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#JAVA
  • (2016 Oct. 18). “Text Form of Risk Matrix for Oracle Virtualization. Oracle Corp. http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#OVIR
  • CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure

Vulnerabilities Weekly Summary Ending October 14

This week Microsoft’s Patch Tuesday addressed many vulnerabilities affecting their Operating Systems, likewise, Adobe addressed vulnerabilities for Flash Player. Cisco and Chrome also released security updates for their products.

Microsoft’s Patch Tuesday for October 2016

Microsoft’s patches for the month has been released and as usual addresses many vulnerabilities.  Ten patches in total have been released. Below are the list of vulnerabilities deemed critical, some of which if exploited could allow a remote attacker to take control of an affected system (Oct. 11, 2016, “Microsoft Security Bulletin Summary for October 2016“):

  • Internet Explorer
    • CVE-2016-3267Microsoft Browser Information Disclosure Vulnerability
    • CVE-2016-3382Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-3383Internet Explorer Memory Corruption Vulnerability
    • CVE-2016-3384Internet Explorer Memory Corruption Vulnerability
    • CVE-2016-3385Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-3390Scripting Engine Memory Corruption Vulnerability
  • Microsoft Edge
    • CVE-2016-3331 Microsoft Browser Memory Corruption Vulnerability
    • CVE-2016-3382 – Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-3386Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-3389Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-3390Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7189Scripting Engine Remote Code Execution Vulnerability
    • CVE-2016-7190Scripting Engine Memory Corruption Vulnerability
    • CVE-2016-7194Scripting Engine Memory Corruption Vulnerability
  • Microsoft Graphics Component
  • Microsoft Video Control
    • CVE-2016-0142Microsoft Video Control Remote Code Execution Vulnerabilities

Please refer to to the bulletin for the complete list of vulnerabilities and our Patches and Updates page for direct links to the updates.

Adobe Security Bulletin for October 2016 addressing Flash Player and Creative Cloud Desktop Application

Adobe released two security bulletins, one addressing vulnerabilities for Adobe Flash Player (Oct. 11, 2016, “Security updates available for Adobe Flash Player“); the other addressing Creative Cloud Desktop Application (Oct. 11, 2016, “Security update available for the Creative Cloud Desktop Application)

Security update for Chrome v.54.0.2840.59

Chrome released security update v.54.0.2840.59 for Chrome 54.  This updates includes 21 security fixes, below are a list of the vulnerabilities deemed to be “high” (Oct. 12, 2016, “Stable Channel Update for Desktop“):

Cisco Security Advisories for Cisco Meeting Server, Unified Communications Manager and Finesse

Cisco released several security advisories for a few of their products including Cisco Meeting Server, Cisco Unified Communications Manager and Cisco Finesse.  Below are a list of all the vulnerabilities addressed in these security advisories:

  • CVE-2016-6445 – “A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user” (2016 Oct. 12, “Cisco Meeting Server Client Authentication Bypass Vulnerability“).
  • CVE-2016-6437 – “A vulnerability in the SSL session cache management of Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high consumption of disk space. The user would see a performance degradation (2016 Oct. 12, “Cisco Wide Area Application Services Central Manager Denial of Service Vulnerability“).
  • CVE-2016-6440 – “The Cisco Unified Communications Manager (CUCM) may be vulnerable to data that can be displayed inside an iframe within a web page, which in turn could lead to a clickjacking attack. Protection mechanisms should be used to prevent this type of attack” (2016 Oct. 12, “Cisco Unified Communications Manager iFrame Data Clickjacking Vulnerability“).
  • CVE-2016-6443 – “A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability” (2016 Oct. 12, “Cisco Prime Infrastructure and Evolved Programmable Network Manager Database Interface SQL Injection Vulnerability“).
  • CVE-2016-6442 – “A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface” (2016 Oct. 12, “Cisco Finesse Cross-Site Request Forgery Vulnerability“).
  • CVE-2016-6438 – “A vulnerability in Cisco IOS XE Software running on Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause a configuration integrity change to the vty line configuration on an affected device

Reference:

  • (2016 Oct. 11). “Microsoft Security Bulletin Summary for October 2016“. Microsoft Corp. Retrieved from https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx
  • (2016 Oct. 11). “Security updates available for Adobe Flash Player“. Adobe Systems, Inc. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb16-32.html

  • (2016 Oct. 11). “Security update available for the Creative Cloud Desktop Application“. Adobe Systems, Inc. Retrieved from https://helpx.adobe.com/security/products/creative-cloud/apsb16-34.html
  • (2016 Oct. 12). “Stable Channel Update for Desktop“. Google Inc. Retrieved from https://googlechromereleases.blogspot.com/search/label/Stable%20updates
  • (2016 Oct. 12). “Cisco Meeting Server Client Authentication Bypass Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
  • (2016 Oct. 12). “Cisco Wide Area Application Services Central Manager Denial of Service Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-waas
  • (2016 Oct. 12). “Cisco Unified Communications Manager iFrame Data Clickjacking Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-ucm
  • (2016 Oct. 12). “Cisco Prime Infrastructure and Evolved Programmable Network Manager Database Interface SQL Injection Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-prime
  • (2016 Oct. 12). “Cisco Finesse Cross-Site Request Forgery Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-fin