3 Nov 2017

Week in review

AUSCERT Week in Review for 3rd November 2017

AUSCERT Week in Review
03 November 2017

Greetings,

As Friday 3rd of November closes, a tally of the root compromises is more than I have seen this past year.  Let’s hope that the reason why we are indeed seeing an up tick in this type of vulnerability is only because security teams and their capabilities are indeed expanding. Well, at least this is the silver lining to be seen as this cloud of root compromise bulletins rolls over.
 
As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title:  If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us later
URL:    http://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
Date:   31st October 2017
Author: Iain Thomson

Excerpt:
“The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands.

The core installation of WordPress is not directly affected, we’re told, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being commandeered by miscreants.”

——-

Title:  Just one day after its release, iOS 11.1 hacked by security researchers
URL:    http://www.zdnet.com/article/ios-11-hacked-by-security-researchers-day-after-release/
Date:   2nd November 2017
Author: Zack Whittaker

Excerpt:
“A day after iOS 11.1 was released, security researchers have already broken the software.

News of the exploits came from Trend Micro’s Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari, the mobile operating system’s browser. “

——-

Title:  AI will not solve your security analytics issues
URL:    https://www.csoonline.com/article/3236025/artificial-intelligence/ai-will-not-solve-your-security-analytics-issues.html
Date:   2nd November 2017
Author: Alexander Poizner

Excerpt:
“Managing SOC is not pretty. Constant stress due to avalanche of tickets and vast amounts of data to analyze using often underpowered and sometimes outdated tools, combined with high turnover and low morale staff. It is understandable that in such environment everybody is looking for a miracle.

Any new technology that has a capability to automate an analysis and detect anomalies gets attention of operations security. With an amount of hype surrounding AI, the temptation is great to jump into early adoption.”

——-

Title:  Security Think Tank: Three areas of web security challenges
URL:    http://www.computerweekly.com/opinion/Security-Think-Tank-Three-areas-of-web-security-challenges
Date:   1st November 2017
Author: Peter Wenham

Excerpt:
“Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational.

On the legal side you need to have a privacy policy identifying what personal data is collected, how that data will be used and who that data might be shared with and why. The policy should be made compliant with the General Data Protection Regulation (GDPR) for which the compliance deadline is 25 May 2018, but this will require you to track GDPR guidance as it becomes available.”

——-

Title:  Facebook pledges to double its 10,000-person safety and security staff by end of 2018
URL:    https://www.cnbc.com/2017/10/31/facebook-senate-testimony-doubling-security-group-to-20000-in-2018.html
Date:   31st October 2017
Author: Anita Balakrishnan    

Excerpt:
“Facebook, under intensifying pressure from legislators and consumers to clean up its site, is pledging to double the number of people it has working on issues related to safety and security.

Colin Stretch, a vice president and general counsel at Facebook, testified before senators on Tuesday alongside executives from Twitter and Google. He told them that Facebook’s staff focused on sensitive security and community issues will grow to 20,000 by the end of next year.”

——-

And lastly, here are this week’s noteworthy security bulletins (in no particular order):

1.    ESB-2017.2778 – [OSX] Apple macOS: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/54342

An application may be able to execute arbitrary code with system privileges.

2.    ESB-2017.2766 – [Mobile] Apple Watch: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/54294

An application may be able to execute arbitrary code with kernel privileges.

3.    ESB-2017.2763 – [Ubuntu] kernel: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/54282

A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

4.    ESB-2017.2782 – [Cisco] Cisco Firepower 4100 Series Next-Generation Firewall (NGFW): Root compromise – Existing account
https://portal.auscert.org.au/bulletins/54358

An authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges.

5.    ESB-2017.2790 – [Appliance] F5 Products: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/54390

An authenticated attacker may be able to cause an escalation of privileges through a crafted application that uses the fork or close system call.

Wishing you the best from AUSCERT and hope to see you next week,
Geoffroy