5 Jan 2018

Week in review

AUSCERT Week in Review for 5th January 2018

Greetings,

Welcome back everyone! We hope that you all had a quiet and relaxing break since this first week of the year has been quite busy. Vulnerabilities (Meltdown and Spectre) in CPU hardware implementations have been disclosed and software mitigations are currently being released by all the major vendors. Please note that Microsoft, Mozilla and Google have confirmed that these vulnerabilities can be exploited through Internet Browsers.
We have also observed attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts and more!

Please don’t forget to put in your paper submission for the AUSCERT 2018 conference. Submissions close on the 19th.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Forever 21 Suffered 7-Month POS Malware Attack
Date Published: 3/1/2018
URL: https://www.bankinfosecurity.com/forever-21-suffered-7-month-pos-malware-attack-a-10555
Author: Mathew J. Schwartz
Excerpt: “Apparel retailer Forever 21 says point-of-sale systems in some of its stores were infected by malware for up to seven months, compromising shoppers’ payment card data.”
—–

Title: Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch…
Date Published: 3/1/2018
URL: https://www.theregister.co.uk/2018/01/03/vmware_vsphere_vdp/
Author: Thomas Claburn
Excerpt: “VMware on Tuesday published a security advisory for its vSphere Data Protection (VDP) backup and recovery product.

The virtualization giant identified three vulnerabilities, one of which it deems critical, with the two others categorized as important.

The issues affect VDP 5.x, 6.0.x, and 6.1.x.”
—–

Title: US Homeland Security breach compromised personal info of 200,000+ staff
Date Published: 4/1/2018
URL: https://www.theregister.co.uk/2018/01/04/us_homeland_security_breach_exposed_personal_info_of_200000_staff/
Author: Rebecca Hill
Excerpt: “More than 240,000 current and former employees of the US Department of Homeland Security have had their personal details exposed in a data breach.

In what it describes somewhat euphemistically as a “privacy incident”, the DHS said the breach could also affect anyone who was part of an investigation by the DHS Office of Inspector General between 2002 and 2014.”
—–

Title: Apple confirms iPhone, Mac affected by Meltdown-Spectre vulnerabilities
Date Published: 5/1/2018
URL: http://www.zdnet.com/article/apple-confirms-iphone-mac-affected-by-meltdown-spectre-vulnerabilities/
Author: Asha McLean
Excerpt: “Apple has issued a statement regarding the Meltdown and Spectre vulnerabilities, confirming all Mac systems and iOS devices are affected, but saying there are no known exploits impacting customers at this time.

Apple, like Microsoft, has urged users to download software only from trusted sources, such as the App Store. “
—–

Here are this week’s noteworthy security bulletins:

1) ESB-2018.0011 – [Win][UNIX/Linux] phpMyAdmin: Cross-site request forgery – Remote with user interaction
https://portal.auscert.org.au/bulletins/56474
A CSRF vulnerability has been fixed in the latest version of phpMyAdmin.

2) ESB-2018.0038 – ALERT [Virtual] VMware vSphere Data Protection (VDP): Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/56586
A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

3) ASB-2018.0002.3 – UPDATED ALERT [Win][UNIX/Linux] Intel CPU Chip: Access privileged data – Existing account
https://portal.auscert.org.au/bulletins/56602
Side-channel attacks due to CPU Microcode errors allows for kernel memory to be accessed from user space.

4) ESB-2018.0049 – ALERT [Win] Microsoft Products: Access privileged data – Existing account
https://portal.auscert.org.au/bulletins/56634
Microsoft has released an out of band patch to fix the CPU Microcode vulnerabilities (Spectre/Meltdown)

5) ASB-2018.0006 – [Win][UNIX/Linux] Mozilla Firefox: Access privileged data – Remote with user interaction
https://portal.auscert.org.au/bulletins/56726
Mozilla has released an update to Firefox to mitigate the Speculative execution side-channel attack (“Spectre”).

Stay safe, stay patched and have a good weekend!

Ananda