Quantcast
Channel: Tenable Blog
Viewing all 1935 articles
Browse latest View live

New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users

$
0
0

A researcher has discovered a cross-site scripting vulnerability caused by mishandling of a PHP header in Apache version 2.x. Upgrade PHP and review privileges for applications and services using it.

Background

Researcher Prashanth Varma posted PHP Bug #76582 for Apache version 2.x that details a cross-site scripting (XSS) bug which could allow an unauthenticated attacker to send a malicious POST request that echoes the embedded script in the body of the response. The Center for Internet Security (CIS) issued an advisory stating that PHP versions 7.2 (prior to 7.2.10), 7.1 (prior to 7.1.22), 7.0 (prior to 7.0.32) and 5.6 (prior to 5.6.38) are all vulnerable. At the time of publication, there is no CVE for this vulnerability.

Vulnerability details

Apache mishandles the “Transfer-Encoding: chunked” PHP header that normally sends data chunks to another host in a transfer request. When exploited, it displays text in an error window in the active browser session. The exploit requires a locally run script, but does not require user interaction or authentication to run. The attacker could include a malicious link in these error messages, opening the user up to further attack if clicked.

As with any XSS attack, unsanitized text could allow for arbitrary code execution beyond a simple error message. No instances of more sophisticated attacks have been seen at the time of this writing, but as time progresses, additional attacks could use this exploit as a vector.

Urgently required actions

Upgrade PHP to the latest version to ensure that assets have the latest security patches. We also recommend reviewing privileges and asset access of any apps or services that utilize PHP in order to understand what targets are at risk. And, as always, reinforce security awareness with users, so they know the risks of clicking on links in error messages. Clicking on new messages from trusted sites can be just as dangerous as clicking on messages from untrusted sources.

Identifying affected systems

Tenable will be releasing plugins to scan for this vulnerability shortly and will continue to monitor the situation. Even though this vulnerability only appears to affect Apache at this time, we recommend upgrading PHP to the latest version, even for users using other platforms that utilize PHP, to minimize risk.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.


Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder

$
0
0

Tenable Research has discovered a critical vulnerability named Peekaboo permitting remote code execution in IoT network video recorders for video surveillance systems that would allow attackers to remotely view feeds and tamper with recordings.

Tenable Research discovered two vulnerabilities in NUUO’s Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow and the second is a backdoor in leftover debug code. These vulnerabilities were assessed and tested in the NVRMini2, a network-attached storage device and network video recorder.

What you need to know? Tenable Research has found a critical remote code execution vulnerability called Peekaboo in NUUO’s NVRMini2 software that an attacker can exploit to fully compromise the system.

What’s the attack vector? The web service is vulnerable to a stack buffer overflow that can be exploited remotely by an unauthenticated attacker.

What’s the business impact? An attacker can gain full system access, giving them control over and access to attached camera feeds and recordings. In addition, access credentials for connected cameras can be read in cleartext.

What’s the solution? Urgently apply the update from NUUO.

Background

NUUO offers closed-circuit television (CCTV), surveillance and video software and hardware. NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Multiple camera feeds can be viewed and recorded simultaneously.

More interestingly, NUUO OEMs and whitelabels its software to third-party vendors. The full list of affected third-party vendors is currently unknown.

CVE-2018-1149: Peekaboo Unauthenticated Stack Buffer Overflow

Analysis

We found an unauthenticated stack buffer overflow (CWE-121) permitting remote code execution. This vulnerability has a CVSSv2 Base score of 10.0 and a Temporal Score of 8.6; it’s rated as Critical severity.

The NVRMini2 uses an open-source web server that supports some executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries that can be executed on the NVRMini2 is 'cgi_system' and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated.

During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.

Proof of concept

Jacob Baines, senior research engineer at Tenable, developed an exploit to demonstrate how this vulnerability might be leveraged to take over the NVRMini2 and manipulate connected cameras.

CVE-2018-1150: The Mystery of the Backdoor

We also found a backdoor in some leftover debug code.

<pre>
if (file_exists(constant("MOSES_FILE"))) //back door
{
update_session();
return 0;
}</pre>

If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely. This vulnerability has a CVSSv2 Base Score of 4.0 and a Temporal Score of 3.2, and is rated Medium severity.

This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added. To be able to activate and utilize the backdoor, an attacker would need to be able to create the file “/tmp/moses,” so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery.

Business impact

NUUO is a global leader in the video surveillance industry and these devices are widely deployed with more than 100,000 installations worldwide. Their software is also OEM’d and integrated in third-party surveillance system deployments by a wide variety of technology and system integration partners. With any NVRMini2 instance able to manage up to 16 connected CCTV cameras, the count of indirectly exposed devices is potentially in the hundreds of thousands.

The remote code execution vulnerability especially is of particular concern. Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

<code>
root@NVR:/NUUO/bin# cat /mtd/block4/NUUO/etc/camera.ini
[Camera01]
CameraAuto=0
ShowModelName=M3044-V
MacAddress=
OutputPinCount=0
InputPinCount=0
ManufacturerName=Axis
BrandName=Axis
Protocol=3
Channel=1
ModelName=M3044-V
Manufacturer=
Brand=
Password=password1
UserName=root
Port=80
HostIP=192.168.1.183
CameraName=AXIS</code>

Exposed CCTV Camera Credentials

Threat actors are currently actively targeting other CCTV NVRs and cameras, such as the Mirai and GafGyt malware families, which are commonly being used to compromise IoT devices. In addition, NUUO NVR devices were also specifically targeted by the Reaper IoT botnet, as we reported last year.

Solution

As of September 17 at 11 a.m. ET, a patch has not been issued. NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information. In the meantime, we advise affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

Identifying affected systems

Tenable has the following plugins available for identifying vulnerable assets.

Plugin ID Description
103929 NUUO NVR Web Interface Detection
117427 NUUO NVRMini2 Multiple Vulnerabilities


Additional information

Peekaboo: Don’t Be Surprised by These Not So Candid Cameras

$
0
0

Tenable Research discovered a major software flaw, dubbed Peekaboo, which gives cyber criminals control of certain video surveillance cameras, allowing them to secretly monitor, tamper with and even disable feeds. Here’s a quick look at what we know today.

What’s Peekaboo?

Peekaboo is a security vulnerability in software made by NUUO, a global video surveillance vendor. The software is used in devices like closed-circuit television (CCTV) cameras and networked video recorders and storage devices. When cyberattackers exploit the flaw, they can manipulate the cameras and take them offline – all without ever being detected.

Who does Peekaboo affect?

Organizations all over the world use NUUO software in their video surveillance systems to protect shopping centers, banks, hospitals, schools and other crowded locations. NUUO also OEMs and white labels its software to more than 100 brands and 2,500 models of cameras. In fact, preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide.

How does Peekaboo work?

Peekaboo can give cyber criminals control of video surveillance cameras using NUUO software, allowing them to secretly monitor, tamper with and even disable the feed. Even worse, once they’ve hacked the camera, they can access the camera feeds of any other device it’s connected to.

By exploiting the Peekaboo vulnerability, cyberattackers can steal specifics about all the networked cameras, including key data like login credentials as well as the make and model, IP address and port. All this can happen in the span of a few seconds, without the admins’ knowledge.

Here’s what the hack looks like….

What’s the potential impact of Peekaboo?

Devices with NUUO software are used in diverse environments like banks, retail locations and transportation centers. By exploiting this weakness, attackers could monitor CCTV feeds to surreptitiously gather information, disable cameras or tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

What should I do about Peekaboo?

There is no patch available at this time. We advise affected users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

How was Peekaboo discovered?

Jacob Baines, senior research engineer at Tenable, discovered the Peekaboo vulnerability in NUUO NVRMini2. He then began the disclosure process with NUUO.

This isn’t the first time NUUO NVR devices have been in the news. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT botnet.

Want more information?

Nessus at 20: Why It’s More Than a Product to Me

$
0
0

In honor of the 20th anniversary of Nessus this year, we've been asking users around the world to answer the question, "I love Nessus because...." Here, Tenable's VP and Deputy CTO Glen Pendley does just that, sharing his experiences working with Nessus over the past two decades – and tells us how it delivered his first rock-star moment.

Has your life ever been changed by a piece of software? As we celebrate the 20th anniversary of Nessus this year, I've come to realize how much it means to me, personally, to have been responsible for continuing the legacy of Nessus® creator Renaud Deraison– and how much of a role the product has played in the course of my own career.

Renaud (left) and Glen (right) at Tenable's Init Hackathon

Renaud (left) and Glen (right) at Tenable's Init Hackathon.

The early days of Nessus, the early days of cybersecurity

My first interaction with Nessus was in the late 1990s and early 2000s while I was in the United States Marine Corps. At the time, cybersecurity had started to really become a thing. These early interactions with Nessus pushed me to pursue a career in cybersecurity, rather than general software engineering. I clearly remember how my eyes were opened when I first started looking through the results of a Nessus scan. At that time, if you had a firewall at your perimeter and AV running on your machines, you believed you were “secure.” What I saw through Nessus not only introduced me to the ways someone could exploit a system, it also gave me a much better understanding of how a system functions.

A few years later, I was able to secure a position at Tenable where I ran engineering for SecurityCenter®. After my first two years at Tenable, I was given the opportunity to run our global engineering and security research organization. This, of course, included Nessus, which until that time was always under the direct guidance of Renaud. To say I felt a bit of pressure would be an understatement. That said, having someone like Renaud put the faith in me that he did is hands down one of the most impactful things to have happened to me. It gave me the confidence I needed to do the job.

Building something that matters to cybersecurity professionals

Minding Renaud’s baby wasn’t my only source of pressure at the time. Taking on responsibility for a product so widely beloved and used as Nessus was its own kind of pressure. The latter is the sort of pressure any engineer wants. For me, there is no bigger joy than knowing that what you are building is going to be used by so many people and that the feature you code or the plugin you write is making a real difference in how cybersecurity professionals work.

One of the most rewarding things about my role is having the opportunity to talk to many of our customers. I have traveled and spoken to customers all over the world, and almost every person I speak to tells me they love Nessus and shares an anecdote about how it has helped them. There are also plenty of examples of non-traditional interactions I have had. One of the coolest occurred a few years ago, during Tenable’s yearly engineer/security research offsite.

I showed up to the resort a day or so before the offsite to verify that all the technical infrastructure was in order. As I walked into the main ballroom, I was greeted by one of the IT folks for the resort. We covered a few housekeeping items. As we were wrapping up, he asked me, “Are you the Nessus guys?” Of course, I replied yes. His face lit up at my response and he quickly left the room, saying he would be right back. After about five minutes, he came back into the room with the resort’s entire 12-person IT staff. They had all stopped what they were doing, so they could come and meet the “Nessus guys.”

Nessus – “It just works”

This experience was the closest thing to a rock-star moment I’ve ever had. I spent a good 30 minutes sitting there and talking to them. They were all so legitimately excited to talk to us. All of them had used Nessus – and not only in their current job, but at every one of their previous employers as well. A few had learned how to use Nessus in school. Nessus was their introduction into cybersecurity. I relayed how Nessus was a big part of my early push into cybersecurity as well. Their feelings toward Nessus were similar to many others I have spoken to. When asked why they like Nessus so much, they answered, “It just works.” There is no better feeling for an engineer than hearing those words.

This is why I love doing what I do. To know so many people out there genuinely love your product is an amazing feeling. To know that it truly reinforces an organization’s security posture is rewarding. There are times when I sit back and look at how fortunate I am. I will always be grateful to Renaud for giving me the opportunity to lead and manage Nessus, which remains as impactful to me now as it was 18 years ago.

Get more information

Xbash Malware Targets Windows and Linux with Ransomware and Cryptomining

$
0
0

Newly identified Xbash malware is targeting weak passwords and unpatched vulnerabilities on Linux and Windows systems to launch ransomware or cryptomining attacks.

Background

Unit 42, Palo Alto Network’s research team, recently blogged about a new malicious software (malware) family it’s calling Xbash. This newly identified malware targets Linux and Windows systems that have weak passwords and unpatched vulnerabilities.

On Linux systems, Xbash will identify and delete MySQL, MongoDB and PostgreSQL databases and then seek ransom payment from victims. On Windows systems, it will initiate cryptomining and self-propagate. Organizations should be aware Xbash has no functionality to restore the deleted databases, so there is no use in paying the ransom.

Vulnerability details

Xbash targets two unpatched vulnerabilities and one patched vulnerability. The first unpatched vulnerability is an unauthenticated command execution vulnerability in Apache Hadoop YARN, which was first discovered in October 2016 but has no CVE. The second unpatched vulnerability is a remote code execution vulnerability in Redis, which was first discovered in November 2015 and also has no CVE. Lastly, the patched vulnerability, CVE-2016-3088, is an arbitrary file write vulnerability in Apache ActiveMQ.

Urgently required actions

To protect against the Xbash malware, we advise organizations to ensure they’re using strong and unique passwords across the board. Because two vulnerabilities remain unpatched, it is important to identify vulnerable assets and ensure they’re protected by an endpoint security product. As there is a patch available for Apache ActiveMQ, organizations should ensure they’re applying patches regularly. Finally, because Xbash targets and deletes databases, organizations should back up databases regularly and segregate them from other systems on the network.

Identifying affected systems

Tenable has plugins available to identify Redis servers. We will update with additional plugins as they become available.

Plugin ID

Description

100634

Redis Server Unprotected by Password Authentication

100635

Redis Server Detection

Get more information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Research Advisory: Rockwell Automation RSLinx Classic Lite RCE and DoS Vulnerability Discovered by Tenable

$
0
0

Tenable Research has discovered multiple memory corruption issues in Rockwell Automation RSLinx Classic Lite 4.00.01 that may allow for remote code execution or denial of service. Customers are encouraged to update their software.

What do you need to know? Rockwell Automation RSLinx Classic could allow for memory corruption and remote code execution or denial of service.

What’s the attack vector? Common industrial protocol messages over port 44818 to the RSLINX.exe service.

What’s the business impact? Memory corruption and remote code execution could lead to malicious takeover of an asset.

What’s the solution? Apply the latest update from Rockwell Automation for RSLinx Classic.

Background

While researching methods for remotely identifying Rockwell Automation RSLinx Classic, Tenable Research found multiple memory corruption issues in RSLinx Classic Lite 4.00.01 (CVE-2018-14829 and CVE-2018-14821), which may allow an unauthenticated remote attacker to achieve remote code execution (RCE) or denial of service (DoS).

Analysis

RSLinx Classic Lite (RSLINX.exe) implements EtherNet/IP, which encapsulates common industrial protocol (CIP) messages. Due to RSLINX.exe not checking various CIP length fields against the number of received network data bytes thoroughly, an unauthenticated remote attacker can exploit this via port 44818 to cause memory corruption issues.

Within the buffer overflow caused through this exploit, an attacker can then trigger arbitrary code execution.

Vendor response

Rockwell Automation has released software patches for RSLinx Classic versions V3.60, V3.74, V3.80, V3.81, V3.90 and V4.00.01.

Solution

According to Rockwell Automation’s advisory, customers are strongly encouraged to update their software. They have also recommended customers disable port 44818 in RSLinx Classic if it is not utilized during system operation. Customers should also follow other security best practices like limiting administrator privileges and blocking all traffic to EtherNet/IP or other CIP-based devices from external sources.

Identifying affected systems

Tenable has released the following plugin to detect these vulnerabilities.

Plugin ID

Description

117671

Rockwell Automation RSLinx Classic <= 4.00.01 Multiple Vulnerabilities

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Four Cybersecurity Questions Every CISO Should Be Ready to Answer

$
0
0

In part one of our six-part blog series on improving your cybersecurity strategy, we discuss how the industry’s reliance on a hyper-compartmentalized approach is making everyone less secure, and we share the four key questions every CISO should able to answer.

IT infrastructure often grows up with a company. New tools, applications, systems, and user profiles are bolted onto the greater whole as the need for them emerges, usually without being given much strategic consideration. Organizational silos spring up around these additions as teams discover that each new tool requires new skills to deploy and maintain. Before long, the entire operation can resemble a ramshackle old house onto which each generation of homeowner has attached a new room.

Threats lurk in the dark corners. Unforeseen vulnerabilities, aging tech, distributed data centers, network sprawl, greedy insiders, and gullible users thrive. With the components of enterprise IT infrastructure scattered and compartmentalized, it’s difficult for any one person or team to achieve holistic visibility into the entire network.

Lack of visibility makes it difficult to find these siloed threat vectors, and even tougher to address them once they are found. That’s because, in most cases, the tools and tactics available are only designed to tackle specific and unintegrated areas of concern. We often see security tools being deployed scattershot throughout the organization. We see teams in operations, applications security, DevOps, network security, machine learning, high performance computing teams, Security Operations Center (SOC), and auditing and compliance all pursuing and deploying their own discrete tools. And there is no shortage of security tools. More than 600 vendors were on the expo floor at the RSA Conference 2018.

While these issues are nothing new, addressing them has never been more urgent as the attack surface continues to expand. In our work with IT and cybersecurity professionals, we often hear about the challenges of protecting all the isolated apps -- and the distributed computing and storage platforms -- in use throughout the enterprise. Operational technology (OT) and internet of things (IoT) devices introduce their own sets of problems, since these internet-connected solutions are often deployed outside the auspices of the IT organization.

In most cases, organizations end up integrating apps through APIs and putting a multitude of clouds under a single management platform purview in order to manage the lot of them at once. But even this approach is only a stopgap. It’s no substitute for a holistic cybersecurity strategy which emphasizes visibility across the network and applies granular insights about the threats that may be lurking among them, so organizations can effectively prioritize responses. We call this approach Cyber Exposure.

Cyber Exposure is an emerging discipline for managing and measuring cybersecurity risk in the digital era. Cyber Exposure transforms security from static and siloed visibility to dynamic and holistic visibility across the modern attack surface. It’s the foundation upon which to build a cybersecurity strategy that accommodates the entirety of the modern attack surface.

Four questions every CISO should be ready to answer

Building a holistic cybersecurity strategy using the discipline of Cyber Exposure enables you to answer each of these four questions about your organization at any point in time:

  • How secure - and exposed - are we? Answering this question requires visibility into all aspects of the organization's attack surface -- including cloud resources, containers, industrial control systems, and mobile devices, which may or may not be on the radar of IT. It involves taking inventory of where specific threats to your company exist. For example, if your organization is particularly diligent about deploying patches, then the latest Windows vulnerability may not be as big a concern as it would be for an enterprise that hasn’t patched its systems in seven years. By coming to terms with where your exposures are – or where they are likely to be – you reveal the larger picture of what’s at risk.
  • What should we prioritize? The answers to this question should be based on a combination of threat intelligence to understand the exploitability of the issue and asset criticality to understand the business context of the asset. Effective prioritization of vulnerabilities needs to take in the business context in order to optimize your efforts, resources, and budget. It enables you to zero in on protecting the vulnerable areas likely to cost your organization the most in terms of labor, penalties, time, recovery, and reputation. It also helps reduce alert fatigue, as you can then prioritize how your team responds to vulnerabilties based on how critical the affected assets are to your business and the likelihood a given vulnerability will be exploited.
  • How are we reducing exposure over time? Your ability to answer this question is a measure of your progress. You’ll need to identify the metrics and KPIs against which you’ll measure your efforts. Such metrics should be viewable by business unit, geography and asset type. The goal is to understand how your exposure profile is changing month to month, quarter to quarter, and year to year, so you can help your business-side colleagues and the c-suite understand whether the company’s investments in cybersecurity are paying off.
  • How do we compare to our peers? Answering this question forces you out of your company’s internal bubble to help you understand how your cybersecurity practices stack up against those of others in your field, as well as those in other industries. How your organization ranks against industry peers, and against best-in-class security, is an important dialogue for every Board of Directors to have to drive a more strategic discussion and help ensure the board is upholding their fiduciary responsibility in providing the proper risk oversight for the company. Cyber risk is no different than other business risks and should be managed and measured the same way.

Your ability to accurately answer these four questions is vital to understanding the total risk exposure and the effectiveness of your cybersecurity measures. But if you’re dealing with a heavily compartmentalized IT infrastructure, it may seem daunting to know where to even start moving toward a more holistic strategy.

Three cybersecurity practices you can implement today

Here are three tips you can begin using today to help you begin your journey toward a holistic cybersecurity strategy.

  1. From phishing to fishes, look deeper and broader for vulnerabilities. The next attack is likely to come from an unknown and unexpected direction. The infamous casino aquarium hack, where hackers grabbed 10 GB of data from a casino via the internet-connected sensors in a fish tank, is a perfect example. Indeed, given the fast-growing number of IoT devices and their accompanying opportunities for bad actors to enter, security teams will have to continuously update their list of vulnerabilities. But IoT devices are not the only hidden corners that need to be illuminated and secured against threats. Don’t forget about cloud services and cloud environments, containers, video surveillance systems, industrial control devices, point-of-sale fixtures, HVAC systems, and any other internet-connected system which is not typically handled by the IT/SecOps teams. For example, in September, Tenable researchers revealed their discovery of Peekaboo, a vulnerability potentially affecting hundreds of thousands of internet-connected cameras used in video surveillance systems. Make sure your security teams are truly looking everywhere and are armed with tools designed to sniff out vulnerabilities as they appear in new places.
  2. Not all assets are created equal. It’s imperative to know which assets are most critical to your business in order to respond the threats forcefully and appropriately. An iPad used by your company’s CFO may be a more high-value target than the iPad used at the reception desk to sign in visitors. Make sure you’re focusing on your most critical assets first. Take the time now to determine the criticality of each asset and rank its importance in terms of response times. Then update this information regularly. Asset tagging is a good place to start building an inventory of assets based on their criticality. Remember to include compliance requirements, such as GDPR, HIPAA, and PCI, as part of your asset criticality assessment.
  3. Prioritize remediation. Only a small percentage of the thousands of vulnerabilities disclosed every year are ever actually exploited. You need insight into which vulnerabilities are currently being exploited in the wild, along with early warnings about those likely to be attacked in the near future. Having access to this kind of information allows security teams to prioritize their threat response based on the criticality of the asset, threat intelligence, and probability analysis.
  4. In part two of our six-part blog series on improving your cybersecurity strategy, we’ll explore in more detail how to prepare your organization to answer the question “Where are we exposed.”

Learn more:

Tenable Research Advisory: Popular TP-Link Router is Vulnerable to Remote Exploitation

$
0
0

Tenable Research has discovered multiple vulnerabilities in the TP-Link TL-WRN841N, a popular consumer router, one of which could be used by an attacker to remotely take over the device.

  • What do you need to know? Multiple vulnerabilities in TP-Link's popular TL-WRN841N router were discovered by Tenable Research.
  • What’s the attack vector? Targeting unauthenticated users of the TL-WRN841N router’s web server.
  • What’s the business impact? An attacker can obtain full control over the router, uploading a new configuration file that will change the admin credentials as well as enable remote access to control the device remotely.
  • What’s the solution? TP-Link plans to release a patch that will address these vulnerabilities.

Background

Tenable Researcher David Wells discovered multiple vulnerabilities in the TP-Link TL-WRN841N, a popular wireless router which boasts an average rating of four stars on Amazon with more than 12,000 reviews.

Analysis

The first vulnerability in the TL-WRN841N is an improper authentication flaw, which we discovered independently during our research. It was also reported to TP-Link at the same time by a third-party researcher. It received a CVE identifier of CVE-2018-11714. This vulnerability is local, as it would allow unauthenticated attackers to trigger a set of sensitive CGI routines in the router’s admin webpage by spoofing the HTTP Referrer request from "tplinkwifi.net," "tplinklogin.net" or the router's IP address.

Our research led us to discover a second vulnerability, a cross-site request forgery (CSRF) flaw in the HTTP referrer whitelist check function in the router’s httpd service. It received a CVE identifier of CVE-2018-15702. It uses a string comparison function, strncmp, which checks to see whether or not the URL contained in the HTTP referrer field matches one of the whitelisted domains. However, this check is performed in such a way that it only looks at a certain length of characters within the string. Therefore, an attacker could craft a malicious iframe pointing to a URL with the subdomain "tplinkwifi.net" or "tplinklogin.net" (e.g. hxxp://tplinkwifi.net.drive-by-attack[.]com) and the router would consider it part of its whitelisted domains. This CSRF, combined with the improper authentication vulnerability, could allow an attacker to obtain full control over the router by uploading a malicious configuration file that would overwrite the admin credentials and even enable access to the router’s remote administration interface.

Additionally, we discovered two local/unauthenticated denial of service (DoS) vulnerabilities, both of which can cause the httpd service to crash by sending a malformed HTTP request, requiring the router to be restarted.

Proof of Concept

The researcher who discovered these has also developed a proof of concept of the CSRF vulnerability.

Solution

As of this publication, a patch for these vulnerabilities has not been released. Tenable Research has been communicating and working with TP-Link to ensure these vulnerabilities are addressed in an upcoming firmware update. Impacted end-users can contact the vendor directly for further information. We will update this blog with a link to the vendor’s patch when it is made available.

Identifying Affected Systems

Tenable has the following plugins available for identifying vulnerable assets.

Plugin ID

Description

117861

TP-Link Unauthenticated CGI Cross-Site Request Forgery (remote check)

117860

TP-Link HTTP Server Detection

Additional information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.


Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik's RouterOS

$
0
0

Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers, the most critical of which would allow attackers to potentially gain full system access.

Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers. Jacob Baines, the Tenable researcher who made the discovery, presented the talk "Bug Hunting in RouterOS" at Derbycon on October 7. The vulnerabilities include CVE-2018-1156 -- an authenticated remote code execution (RCE) -- as well as a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The most critical of these vulnerabilities is the authenticated RCE, which would allow attackers to potentially gain full system access. They were tested against RouterOS 6.42.3 (release date: 05-25-2018) using the x86 ISO.

  • What do you need to know? Tenable Research has discovered multiple vulnerabilities in a proprietary operating system, RouterOS, used by MikroTik routers. The vulnerabilities include an authenticated RCE, a file upload memory exhaustion and a recursive parsing stack exhaustion.
  • What’s the attack vector? Attackers could use default credentials, frequently left unchanged on routers, to exploit these vulnerabilities.
  • What’s the business impact? The authenticated RCE vulnerability could be exploited with default credentials, granting an attacker full system access and allowing them to divert and reroute traffic or gain access to any internal system that uses the router.
  • What’s the solution? MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 to address these vulnerabilities.

Background

RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by Internet Service Providers (ISPs), such as Border Gateway Protocol (BGP), IPv6, Open Shortest Path First (OSPF) or Multiprotocol Label Switching (MPLS). RouterOS, supported by MikroTik and its user community, provides a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized internet access providers that typically provide broadband access in remote areas. MikroTik is headquartered in Riga, Latvia.

Based on Shodan analysis, there are hundreds of thousands of Mikrotik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of October 3, 2018, approximately 35,000 - 40,000 devices display an updated, patched version.

Analysis

All of these vulnerabilities require authentication (essentially legitimate credentials). If the authenticated RCE vulnerability (CVE-2018-1156) is used against routers with default credentials, an attacker can potentially gain full system access, granting them the ability to divert and reroute traffic and gain access to any internal system that uses the router.

MikroTik routers were identified as being compromised by a Russian threat actor (APT28/Sofacy/FancyBear) in the recent VPNFilter malware, which received extensive media coverage. VPNFilter reportedly targets default credentials, the standard usernames and passwords enabled on the device out of the box, which users often leave unchanged. The actual vulnerabilities being used by VPNFilter are not fully known. Reports have stated that no zero-days were used, but this vulnerability could be a valid attack vector.

Proof of Concept

The licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:

GET /ssl_conn.php?usrname=%s&passwd=%s&softid=%s&level=%d&pay_typ'e=%d&board=%d HTTP/1.0

Where the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system.

Solution

MikroTik released RouterOS versions 6.40.9, 6.42.7 and 6.43 to address these vulnerabilities. Users should also be sure to change the default credentials wherever possible.

Additional information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847

$
0
0

In the course of preparing his Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known. Here’s how it could allow an unauthenticated remote attacker to gain access to the underlying operating system of MikroTik routers.

While preparing for his Oct. 7 Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known, and the new findings elevate the severity of the vulnerability to critical. Baines also found multiple other vulnerabilities unrelated to CVE-2018-14847 in RouterOS, MikroTik’s proprietary operating system.

CVE-2018-14847 can be used not only for reading files, but for writing them as well. An unauthenticated remote attacker could gain access to the routers’ underlying operating system, giving it a CVSSv2 score of 10.0.

MikroTik released a patch and an advisory for this vulnerability back in April. However, consumers have been slow to patch their systems. Based on Shodan results, Tenable estimates nearly 70 percent of the routers that could be fingerprinted remain unpatched. MikroTik released a new advisory on Oct. 9.

CVE-2018-14847 is being used to steal the routers’ administrator credentials, which allow attackers to gain access to the routers’ various configuration interfaces. Based on the information available initially, the National Vulnerability Database (NVD) had scored this vulnerability as a 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) on the CVSSv2 scale. Here’s how NVD describes CVE-2018-14847:

Winbox for MikroTik RouterOS through 6.42 allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

Active exploits underway

Talos has found VPNFilter malware using this exploit. Other active campaigns exploiting this vulnerability, include:

Confused customers are even taking to Reddit when they discover that their ISP’s MikroTik gateway has been compromised.

Highlights from Derbycon

At Derbycon 8.0 in Louisville, Kentucky, in a talk titled “Bug Hunting in RouterOS” (slides available here), Baines revealed how CVE-2018-14847 can be used for more than reading files. It can also be used for writing files. An unauthenticated remote attacker can leverage this capability to obtain a root shell on the router’s underlying operating system. This changes the CVSSv2 score for CVE-2018-14847 from a 5.0 to a 10.0.

Little information existed about CVE-2018-14847 besides a couple of exploits on Exploit DB. These exploits appear to rely on hex blobs whose purpose wasn’t entirely clear.

Little information existed about CVE-2018-14847 besides a couple of exploits on Exploit DB.

As part of Tenable’s research, we mapped these hex blobs to MikroTik’s message protocol.

As part of Tenable’s research, we mapped these hex blobs to MikroTik’s message protocol.

Previous analysis appears to have focused on the network traffic generated by the WinBox client and not necessarily on how RouterOS actually works. When analyzing CVE-2018-14847, Tenable realized that command 7, which is the command used in the Exploit DB exploit mentioned above, shares the path traversal vulnerability with commands 1 and 3.

It turns out using command 1 allows the remote user to open a file for writing at any location due to the path traversal. Furthermore, RouterOS contains some logic that allows for a root busybox shell over SSH or Telnet if a certain file can be found on disk. Tenable leveraged that logic to use command 1 to create the file and then log into the root shell. Our proof of concept is available on Github.

Tenable proof of concept is available on Github.Tenable RouterOS proof of concept is available on Github

Conclusion

While this vulnerability was patched in April 2018, adoption rates have been very slow. It’s critical for administrators to patch these systems as soon as possible. If you are a Nessus, SecurityCenter or Tenable.io user, the following plugins will help identify MikroTik routers and recent vulnerabilities.

Plugin ID

Title

117335

MikroTik RouterOS Winbox Unauthenticated Arbitrary File Read Vulnerability

112114

MikroTik RouterOS

59731

MikroTik RouterOS Winbox Detection

Additional information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Research Advisory: Multiple HPE iMC Vulnerabilities Could Lead to Remote Code Execution or Denial of Service

$
0
0

Tenable Research discovered multiple vulnerabilities in the HPE Intelligent Management Center. HPE is currently working to fix the issues and plans to release patches on Nov. 30.

  • What you need to know: Multiple vulnerabilities were found in HPE iMC, ranging from denial-of-service (DoS) to remote code execution.
  • What’s the attack vector? Multiple listening ports related to HPE iMC.
  • What’s the business impact? Potential DoS, information disclosure, and asset takeover.
  • What’s the solution? There are no patches or workarounds currently. HPE plans to release a patch on or around Nov. 30.

Background

Tenable researcher Chris Lyne discovered several security vulnerabilities in the HPE Intelligent Management Center (HPE iMC). HPE iMC is a network management tool used to monitor assets and their configurations. HPE iMC is often deployed as a large-scale enterprise virtual/physical management solution.

These vulnerabilities include two DoS attacks, two information disclosures, and a remote code execution (RCE). The dbman service could also allow a remote, unauthenticated user to trigger a manual backup to an arbitrary location on the file system.

Analysis

Two vulnerabilities were discovered in HPE iMC’s “dbman.exe” process that can potentially lead to DoS attacks. By sending malicious messages to port 2810, an attacker could cause a stack based buffer overflow, or reboot the service gracefully.

The remote code execution vulnerability was discovered in HPE iMC's JMX service, which listens on TCP port 9091 by default. This vulnerability can be exploited remotely without authentication. The vulnerability exists due to JMX being configured to start without requiring authentication.

Identifying affected assets

Tenable has released plugins to scan for these issues.

Vendor response

Tenable Research has contacted HP about these vulnerabilities. HP has confirmed it’s aware, and a fix for this will be available in an upcoming release. At the time of publication, HP projects a fix for this issue will be available on or around Nov. 30.

Additional information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability

$
0
0

Users of Cisco Prime Infrastructure Software are urged to update to the latest version to address one of two vulnerabilities that, when chained, could lead to remote code execution with system-level permissions.

Background

Cisco released an advisory for CVE-2018-15379, an arbitrary file upload and command execution vulnerability for its Cisco Prime Infrastructure (CPI) software. The CPI management software is designed to allow businesses to manage their network device configurations all in one place, rather than individually by device. CPI also offers integration with Cisco Identity Services Engine (ISE) and location-based tracking through the Cisco Mobility Services Engine (MSE).

Vulnerability details

The CPI management tool has two vulnerabilities that, when exploited in tandem, could allow remote code execution. Pedro Ribeiro of Agile Information Security released a Proof of Concept (PoC) that outlines exploitation in greater detail. The researcher also states that exploit modules are publicly available for this vulnerability.

An attacker can first upload a JavaServer Page (JSP) web shell file using a Trivial File Transfer Protocol (TFTP) client to the /localdisk/tftp/ directory through the default TFTP port (port 69) to gain a shell as the "prime" user, which is unprivileged. From there, an attacker can inject commands through an unsanitized portion of the /opt/CSCOlumos/bin/runrshell binary to gain root access in their open shell.

Tenable researchers were also easily able to establish a web shell that accepted command input on a CPI target running version 3.2 in our lab. A standard id command displayed the status of the current user:

However, the privilege escalation can be easily demonstrated with this command:

Urgently required actions

Cisco has available workarounds, such as disabling the TFTP server listed in their advisory. However, we suggest updating to the fixed version (3.4.1) provided by Cisco. An important note is that this fix only addresses the TFTP file upload vulnerability. If an attacker were to gain access to the host in some other fashion that allows them to invoke the unsanitized binary, then the code execution vulnerability would still be exploitable.

Instructions for updating Cisco Prime Infrastructure Software are included in the advisory.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Microsoft’s October 2018 Security Update: There's More to the Story

$
0
0

A week after Microsoft addressed 49 vulnerabilities in its October 2018 Security Update, new developments have emerged that change the threat profile of some of them.

Background

On Tuesday, October 9, Microsoft released its October 2018 Security Update, also known as Patch Tuesday. This security update contained fixes for 49 vulnerabilities. Since the publication of this security update, new developments have emerged that change the threat profile of some of these vulnerabilities. The most notable developments center around vulnerabilities in Microsoft Windows Shell, Microsoft Win32k.sys and Microsoft JET Database Engine.

Vulnerability details

On September 20, Trend Micro’s Zero Day Initiative (ZDI) published an advisory on CVE-2018-8423, a zero-day vulnerability in Microsoft Windows JET Database Engine. The advisory was published after researchers provided Microsoft with a responsible disclosure timeline of 120 days. Microsoft did release a patch for this vulnerability as part of the October 2018 Security Update. However, researchers from 0patch, a company that produces micropatches for vulnerable software, published a blog on October 12 claiming Microsoft’s patch for the JET Database Engine vulnerability was incomplete. At the time of publication, Microsoft has not responded to 0patch’s claim.

On October 10, Kaspersky Lab researchers published a blog on CVE-2018-8453, a zero-day vulnerability in Win32k.sys that its researchers discovered being exploited in the wild by an Advanced Persistent Threat (APT) group known as FruityArmor. This zero-day is an elevation of privilege vulnerability packaged as part of a malicious software (malware) installer used against less than 12 targets based in the Middle East region. Kaspersky notified Microsoft of this vulnerability in August 2018 and a patch was released as part of the October 2018 Security Update.

On October 11, researcher Abdulrahman Al-Qabandi published a blog around his discovery of a remote code execution vulnerability in Windows Shell, CVE-2018-8495. Al-Qabandi provided these details to the ZDI, which worked with Microsoft to address this issue in the October 2018 Security Update. In his blog, Al-Qabandi provides a Proof of Concept (PoC) revealing how the vulnerability can be exploited. The concern around a PoC being made available is that it provides malicious actors a blueprint to leverage this vulnerability to attack users in the wild.

Urgently required actions

Despite the claim that the patch for the JET Engine Database vulnerability is incomplete, customers are still advised to apply Microsoft’s October 2018 Security Update to all assets. Applying this update will address 49 CVEs, including the Win32k.sys and Windows Shell vulnerabilities.

It is unclear whether or not Microsoft will provide clarification about the claim made about the JET Engine Database vulnerability prior to the November 2018 Security Update. Until then, customers are advised to restrict interaction with vulnerable applications to trusted files.

While applying security updates and patches is vital, patching alone is just one part of a larger picture in securing assets. These developments underscore the importance of comprehensive security that encompasses having visibility into your assets, contextualizing potential risks to prioritize responses and taking action to close the Cyber Exposure gap.

Identifying affected systems

A list of Nessus plugins to identify vulnerable assets can be found here.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Process-Led Deployment: How to Maximize Your Cyber Technology Investments

$
0
0

Taking a process-led approach to your cyber technology deployments is critical to your organization’s ability to reduce risk. Too often, organizations focus on solution features and not on driving the appropriate security outcomes.

When making an investment in a cybersecurity solution, or really any IT solution for that matter, you are looking for just that – a solution to a problem. Too often we get hung up on this feature or that function. The reality is you have a business problem and are looking for a solution to solve said business problem.

Successfully deploying the solution is as critical as selecting the right solution to address your problem. Oftentimes, software solutions are deployed using a technology-led approach. A technology-led approach to deployment typically jumps right into installation (on premises) or configuration (SaaS) for the technology of choice. This is a natural approach for technologists, as it gets them to their new set of features or functions most quickly.

The Standish Group Chaos Report finds only 29% of IT project implementations are successful, and 19% are considered failures. A technology-led approach to deployment oftentimes can significantly reduce the value realized from the investment in the technology solution. Most technology investments result in the transition from a current state to a new state. Your current state can be very manual, a homegrown solution, or an off-the-shelf application you are looking to upgrade. These processes have likely been tuned and optimized to support your current technology stack.

Why process matters

All technologies are different. Even if your new solution is delivering similar capabilities to your current technology stack, there are likely differences in how they go about delivering those capabilities. Usually, there are also new capabilities you would like to deploy. These new capabilities might not even be considered in your current processes.

Cyber Exposure is an emerging discipline focused on managing and measuring your modern attack surface to accurately understand and reduce your cyber risk. The discipline of Cyber Exposure requires us to look at this critical business problem and the supporting solutions through a different lens. Cyber Exposure is fundamentally changing core security processes by providing a broader coverage of assets while providing rich information necessary to prioritize where resources should be focused. Process transformation is critical in order to fully achieve this goal.

The value of a process-led approach

A process-led approach to deployment starts with a discussion about business and security objectives and the supporting processes necessary to achieve those objectives. Tenable Professional Services is defining a point of view regarding the common cybersecurity processes our solutions enable. These processes include asset discovery, vulnerability management, and configuration management. Early in the deployment process, we have a discussion with clients about these key processes. The objective is to arrive at a process definition that achieves the client’s business and security objectives while fully utilizing the capabilities of the technology. These process points of view provide a framework for facilitating this discussion. The result is a process-led versus technology-led approach to deployment.

The best advice I can give someone deploying a new technology is to first clarify your business and security objectives. These objectives should serve as a North Star for decision making. Take the opportunity to review your processes and procedures in the context of the new solution. Seek to understand the full breadth of capabilities of your new solution. Adjust your processes to maximize these capabilities. Only then are you ready to install and / or configure the technology. This will give you the best opportunity to maximize the realized value of your investment.

Learn More:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

libssh Vulnerable to Authentication Bypass (CVE-2018-10933)

$
0
0

A newly announced vulnerability in libssh, a multiplatform library that supports the Secure Shell (SSH) protocol, allows attackers to bypass authentication and gain full control over vulnerable servers.

Background

On October 16, the libssh team published an important security update for a vulnerability in libssh versions 0.6 and above. libssh is a multiplatform library written in C that supports the SSH protocol and can be used to implement client and server applications. The security update addresses CVE-2018-10933, an authentication bypass vulnerability. Tenable confirms our products are not vulnerable to CVE-2018-10933.

Impact assessment

Using Shodan, a search engine for internet-connected devices, we found nearly 2,000 devices are running libssh versions 0.6 and above. However, the full scope of libssh use is unclear. Additionally, it has been reported that vulnerable instances of libssh need to be running in server mode, not client mode, which may limit the impact of this vulnerability.

Vulnerability details

When authenticating to a server using libssh, it expects to receive a “SSH2_MSG_USERAUTH_REQUEST” message to initiate authentication. However, servers running vulnerable versions of libssh can be presented with a “SSH2_MSG_USERAUTH_SUCCESS” message, which would allow anyone to access the server without providing any credentials.

Below is a screenshot of Tenable Research confirming this vulnerability on a test system in our lab:

Tenable Research confirmed the libssh vulnerability on a test system in our lab

Urgently required actions

This vulnerability has been addressed in libssh versions 0.8.4 and 0.7.6, so it is important to update servers once server distributions release patches. Additionally, if software creators implement the libssh library in server mode, they should update to the latest version of the library.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

The output of plugin 118154, the exploit plugin, can be seen below.

Output of Tenable plugin 118154, the exploit plugin

This image shows the output of plugin 118155, which checks the libssh version. Please note this will only report when the Accuracy is set to “Show potential false alarms.”

Output of Tenable plugin 118155, which checks the libssh version

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.


jQuery File Upload Plugin Leaves Web Servers Vulnerable to Unauthenticated File Upload Attacks

$
0
0

Akamai disclosed that the popular jQuery File Upload plugin has been vulnerable to an unauthenticated file upload flaw since November 2010.

Background

Akamai’s Security Intelligence Response Team (SIRT) recently disclosed that the popular jQuery File Upload plugin -- the second most-starred plugin on Github in the jQuery project -- has been vulnerable to an unauthenticated file upload flaw (CVE-2018-9206) on Apache web servers since November 2010.

Impact assessment

Larry Cashdollar, a security researcher for Akamai's SIRT, said in an interview with ZDNet that he’s seen active exploitation of this vulnerability dating back to 2016, but he gave no details or impression of scope. According to the jQuery File Upload Github repository, there are over 7,800 forks of this plugin, which are likely vulnerable as well.

Vulnerability details

The jQuery File Upload plugin relies on an .htaccess file with custom security settings to restrict access to its upload folder, but beginning with Apache version 2.3.9, administrators can ignore these custom security settings. This change allows attackers to bypass file upload security on Apache web servers that use the jQuery File Upload plugin.

Urgently required actions

Sebastian Tschan, the creator of jQuery File Upload, has since patched the plugin on Github. However, developers who use the plugin or any of its forks on Github will need to update their web applications with the new version of the plugin.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Microsoft Data Sharing Service Zero-Day Exploit Released on Twitter

$
0
0

Researcher discloses privilege escalation zero-day in Microsoft’s Data Sharing Service on Twitter and provides a proof-of-concept that could be used to deploy attacks in the wild.

Background

On October 23, a privilege escalation zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll), a broker for sharing data between applications, was published to Twitter. The researcher who published this vulnerability also released a zero-day exploit in Microsoft’s Windows Task Scheduler on Twitter in August 2018. As with the Task Scheduler vulnerability disclosed previously, the researcher shared a proof-of-concept (PoC) on GitHub.

Vulnerability details

The PoC shared by the researcher deletes files on the system that normally require administrative privileges. By deleting these files, the PoC demonstrates the bug is capable of elevating privileges. The PoC could be modified by an attacker to perform other tasks that require elevated privileges.

Please be advised that the PoC deletes a critical system file which can render the system inoperable.

According to initial reports, this vulnerability affects Windows 10, Windows Server 2016 and Windows Server 2019 systems. Also note this vulnerability requires that a malicious actor already have presence on an infected system (using malicious software) or utilize a separate vulnerability to establish a presence on a targeted system.

Urgently required actions

It is unclear if Microsoft will issue a patch for this vulnerability in time for the next Security Update in November 2018. Until a patch is available, we strongly encourage utilizing best security practices. This includes mitigation strategies, as attackers are likely to use malware when deploying this vulnerability. Additionally, ensure proper access control and network segmentation is in place.

Tenable’s Security Response team will update this blog post with protection information as soon as a patch becomes available.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tweetable Exploit for X.org Server Local Privilege Escalation (CVE-2018-14665) Released

$
0
0

A researcher has published a local privilege escalation exploit that fits in a single tweet for xorg-x11-server. Vendors are rolling out fixes and mitigation advice.

Background

On October 25, a tweetable proof-of-concept (PoC) exploit for a newly discovered local privilege escalation (LPE) vulnerability in xorg-x11-server was released.

Not surprisingly, exploitable scripts were quickly available on the web due to the trivial nature of this exploit.

Impact assessment

This vulnerability allows Linux and Unix hosts running xorg-server in setuid (privileged) mode to have files overwritten via the -logfile and -modulepath parameters. While vendors are still assessing the impact of the vulnerability on their products, Red Hat has determined that Red Hat Enterprise Linux versions 7.4 and later are affected. However, this vulnerability affects only local users, as the default Pluggable Authentication Modules (PAM) configuration prevents exploitation over SSH connections. It’s also relatively uncommon for server-based Linux or Unix administrators to run X.org. At this time, other vendors are releasing patches along with mitigation advice where applicable. For example, OpenBSD tweeted:

Because of the limited range of affected versions and the specific and often non-default configurations required to trigger this exploit, the attack’s scope appears to be narrow. However, it’s likely that malicious individuals will still seek out vulnerable systems.

Vulnerability details

This vulnerability was first introduced as a regression as part of security checks for “dangerous options” in xorg-server 1.19.0. According to the X.org security advisory:

The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process. The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option.

The affected versions are xorg-x11-server 1.19.0 through 1.20.2.

Urgently required actions

Check for Linux and Unix systems running xorg-x11-server 1.19.0 through 1.20.2 and confirm when vendor fixes become available. In the interim, apply any vendor mitigations related to removing the setuid bit and disable and/or remove xorg-x11-server on any server or desktop systems where it is not needed. According to X.org:

If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the 'startx', 'xinit' commands or variations Thereof.

X.org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

DemonBot Malware Targets Apache Hadoop Servers Using Available Exploit Code

$
0
0

New DemonBot malware uses Apache Hadoop exploit also used by XBash to launch exploitation attempts at a rate of one million a day to facilitate widespread DDoS.

Background

Researchers at Radware recently blogged about the discovery of a new piece of malware, dubbed DemonBot, used by attackers targeting Apache Hadoop servers. These servers are vulnerable to a Yet Another Resource Negotiator (YARN) exploit that was first reported in 2016. Exploit code has been publicly available since March 2018, and attackers have leveraged it to implant Xbash malware in September 2018.

Impact assessment

Radware’s Threat Research Center says they’ve identified over 70 active exploit servers launching exploitation attempts at a rate of “one million per day” in an effort to implant DemonBot.

Malware details

DemonBot is a distributed denial-of-service (DDoS) botnet similar to other DDoS botnets like Mirai. Unlike Mirai, DemonBot does not exhibit worm-like behavior, instead spreading by way of centralized servers.

DemonBot supports commands to launch User Datagram Protocol (UDP) (randomized) or Transmission Control Protocol (TCP) based DDoS attacks and a STD (UDP fixed payload) attack. It also supports what is called a STOMP command, which launches a sequential attack from STD to UDP to TCP.

Radware researchers also note that while DemonBot currently does not target Internet of Things (IoT) devices, it is “binary compatible with most known IoT devices, following the Mirai build principles.”

Urgently required actions

It is strongly advised that those operating Apache Hadoop clusters restrict access to the YARN WebResource Manager by configuring access control policies and limiting incoming traffic to the specified port for the WebResource Manager.

Identifying affected systems

A list of Nessus® plugins to identify vulnerable Apache Hadoop servers can be found here.

Additionally, our Linux Malicious Process Detection plugin will detect the malware associated with DemonBot.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Bold State Cyber Plays Require Bold Action from the Private Sector, Too

$
0
0

State CISOs face unique challenges in a highly competitive cybersecurity market. Here are three actions the private sector can take to help.

At the NASCIO annual conference, held Oct. 21-24 in San Diego, the organization presented the 2018 Deloitte-NASCIO Cybersecurity Study. This was the fifth edition of the study, and all 50 state Chief Information Security Officers (CISOs) contributed to the data used in the study. The report provided important insights and a compelling call to action.

In each of the annual reports, the responding CISOs identify the top barriers their states face in addressing cybersecurity challenges. In all five editions, the top three responses from CISOs have been the same:

  1. Lack of sufficient funding/lack of sufficient cybersecurity budget
  2. Inadequate availability of security professionals
  3. Increasing sophistication of threats

In 2018, the order of issues (2) and (3) flip-flopped – CISOs are now more concerned about the availability of security professionals than the sophistication of cyber threats – which is a very telling indicator about the health of state cyber. As threats become more sophisticated, the private sector spends more to address them. Without sufficient funding, CISOs are crowded out of the talent pool, resulting in staff shortages that greatly increase the risk of a breach.

There are three actions the private sector can take:

  • Budget/funding. The boldest move lies in funding, or the rest is irrelevant. Private industry should work together to advocate for additional cybersecurity funding in all 50 states. This can take the form of a united lobbying effort to support CISOs in their efforts to obtain necessary budgetary support for their bold plays.
  • Staffing and talent development. The private sector can also host mentorship and internship programs to help train the state cybersecurity workforce and support STEM education in secondary schools. These are relatively small investments that can pay big dividends. Corporate citizenship programs that promote and support STEM education and cybersecurity as a profession can benefit all parties involved, especially those in underserved areas.
  • Threat sophistication. As regulations allow, private sector firms should consider treating support for local government as a corporate public service, and offering tools and consulting services by “adopting” a local jurisdiction. This would provide a platform for the tools and services that could benefit all levels of government by protecting the most vulnerable component of the public sector.

By taking these steps, the private sector can empower states to better protect themselves from inbound attacks and safeguard critical assets.

Learn more:

Viewing all 1935 articles
Browse latest View live