19 Oct 2018

Week in review

AUSCERT Week in Review for 19th October 2018

AUSCERT Week in Review
19 October 2018

This week’s libssh issue makes me think of the usual joke intro. of “Knock Knock! – Who’s there?”, just that the punchline is when the answer is “It’s (Me) and I’m allowed to come in.”, and the response is “Sure! come right in!”. Probably not the type of authentication challenge-response that was expected.  So, this just illustrates that access will be had even with the best intentions of rolling out trusted and secure modules. A compensating control, is assume that breaches have already been made and unwanted activity is being performed. These types of activities can be found by doing some threat hunting, just in case someone, somehow got through.  If you need to skill up on that aspect, there is a 10% discount for AUSCERT members at the “AUSTRALIAN LEADERSHIP CYBER-SECURITY WORKSHOPS”.  Tick the box that you are an AUSCERT member and you will automatically get the discount for training that will be rolled out in Canberra and in Brisbane.[1]

An another note, a flurry of notices came through this morning about the specific patch instructions, from SUSE for SUSE Linux Enterprise Server 12-SP2-BCL.
 
[1] https://www.eait.uq.edu.au/australian-leadership-cyber-security-workshops
 
As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:
 
——-

Title:  Critical Remote Code Execution Vulnerabilities Patched by Drupal
URL:    https://news.softpedia.com/news/critical-remote-code-execution-vulnerabilities-patched-by-drupal-523315.shtml
Date:   October 18, 2018
Author: Sergiu Gatlan

Excerpt:
“… Unpatched versions of the Drupal open source content management system (CMS) are vulnerable to remote exploitation which could lead to remote code execution.
Given enough privileges associated with the user that the Drupal installation runs under, this could allow bad actors to create new accounts with full users rights, as well as view, change, delete data on the compromised target.
Therefore, compromised servers where Drupal is launched using a user with limited rights will be a lot less impacted than those where Drupal runs under an administrator account.”

——-

Title:  New Reconnaissance Tool Uses Code from Eight-Year-Old Comment Crew Implant
URL:    https://www.bleepingcomputer.com/news/security/new-reconnaissance-tool-uses-code-from-eight-year-old-comment-crew-implant/
Date:   October 18, 2018
Author: Ionut Ilascu

Excerpt:
“A newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States.
Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada.”

——-

Title:  Critical Vulnerabilities Allow Takeover of D-Link Routers
URL:    https://www.securityweek.com/critical-vulnerabilities-allow-takeover-d-link-routers
Date:   October 17, 2018
Author: Eduard Kovacs

Excerpt:
“The security holes affecting D-Link devices were discovered by a research team at the Silesian University of Technology in Poland. The bugs impact the httpd server of several D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.
One of the vulnerabilities, tracked as CVE-2018-10822, is a directory traversal issue that allows remote attackers to read arbitrary files using a simple HTTP request. The vulnerability was previously reported to D-Link and tracked as CVE-2017-6190, but the vendor failed to address it in many of its products.”

——-

Title:  Hacker: I’m logged in. New LibSSH Vulnerability: OK! I believe you
URL:    https://www.bleepingcomputer.com/news/security/hacker-im-logged-in-new-libssh-vulnerability-ok-i-believe-you/
Date:   October 17, 2018
Author: Ionut Ilascu

Excerpt:
“Discovered by Peter Winter-Smith of NCC Group, the vulnerability received the identification number CVE-2018-10933 and it affects the server part of libssh.
Laughably easy to exploit is an understatement
Leveraging it is a simple matter of presenting the server with the  SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem.
The server expects the message SSH2_MSG_USERAUTH_REQUEST to start the authentication procedure, but by skipping it an attacker can log in without showing any credentials.”

——-

Title:  Apple VoiceOver iOS vulnerability permits hacker access to user photos
URL:   https://www.zdnet.com/article/apple-voiceover-iphone-vulnerability-permits-access-to-user-photos/
Date:   October 15, 2018
Author: Charlie Osborne

Excerpt:
“A vulnerability has been discovered in the Apple iOS VoiceOver feature which can be exploited by attackers to gain access to a victim’s photos.
As reported by Apple Insider, the bug, a lock screen bypass made possible via the VoiceOver screen reader, relies on an attacker having physical access to the target device.
Revealed by iOS hacker Jose Rodriguez and subsequently demonstrated in the YouTube video below, the attack chain begins with the attacker calling the victim’s phone.”

——-

And lastly, here are this week’s noteworthy security bulletins (in no particular order):

1) ESB-2018.3113 – [SUSE] texlive: Execute arbitrary code/commands – Remote with user interaction
https://portal.auscert.org.au/bulletins/69822
Load a font, execute code. (CVE-2018-17182)

2) ASB-2018.0266 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/70182
Chrome 70 is out.

3) ESB-2018.3183 – [Debian] drupal7: Execute arbitrary code/commands – Existing account
https://portal.auscert.org.au/bulletins/70202
…executing arbitrary code.

4) ESB-2018.3191 – [SUSE] linux kernel: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/70242
…escalating privileges in kernel.

5) ESB-2018.3188 – [SUSE] xen: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/70230
…hypervisor crash or potentially privilege escalation

Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,
Geoffroy