15 Feb 2019

Week in review

AUSCERT Week in Review for 15th February 2019

Greetings,

This week in security, we enjoy the rare sight of sysadmins running to their terminals for Microsoft’s Patch Tuesday and Optus calling their customers “Vladimir” for valentines day.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Optus disables My Account site after users complain of privacy breach
Date Published:  February 15, 2019
Author: Corinne Reichert

Excerpt:
“Optus has confirmed that its My Account website is back up and running after temporarily disabling access following complaints from users that they were seeing the wrong customer information after logging in. According to Optus, it disabled the site “as a precaution”.
“Optus is aware some customers reported seeing incorrect information when activating their Prepaid service, and when logging into My Account to pay their bill yesterday,” an Optus spokesperson said on Friday. “The Optus My Account website is now operational, and Optus is working with our third-party vendors to identify the cause of yesterday’s issue.””
—–

Title: RunC Vulnerability Gives Attackers Root Access on Docker, Kubernetes Hosts
Date Published: February 11, 2019
Author: Sergiu Gatlan

Excerpt:
“A container breakout security flaw found in the runc container runtime allows malicious containers (with minimal user interaction) to overwrite the host runc binary and gain root-level code execution on the host machine.
runc is an open source command line utility designed to spawn and run containers and, at the moment, it is used as the default runtime for containers with Docker, containerd, Podman, and CRI-O.
According to Aleksa Sarai, Senior Software Engineer (Containers) SUSE Linux GmbH, one of the runc maintainers:
The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:
Creating a new container using an attacker-controlled image.
Attaching (docker exec) into an existing container which the attacker had previous write access to.”
—–

Title: Govt moves to extend encryption-busting powers to anti-corruption agencies
Date Published: Feb 13 2019
Author: Justin Hendry

Excerpt:
“The federal government has revealed planned changes to Australia’s controversial encryption-busting legislation that will give anti-corruption bodies similar powers to other law enforcement agencies.
Amendments to the Assistance and Access Act introduced to parliament on Wednesday afternoon propose extending the industry assistance powers to eight additional agencies, including state corruption watchdogs.
The Australian Federal Police, Australian Crime Commission and state and territory police forces are the only law enforcement agencies afforded the powers as the Act currently stands.”
—–

Title: Email provider hack destroys nearly two decades’ worth of data
Date Published:
Author: Abrar Al-Heeti

Excerpt:
“All US data from email provider VFEmail was destroyed by an unknown hacker, deleting nearly two decades’ worth of emails, VFEmail said Tuesday.
The email provider, which was founded in 2001, scans each email for viruses and spam before they get to someone’s inbox. If a virus is found, it’s blocked from getting onto VFEmail’s servers.
“Yes, @VFEmail is effectively gone,” VFEmail owner Rick Romero said on Twitter. “It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.””
—–

Title: It’s now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
Date Published:  13 Feb 2019
Author: Shaun Nichols

Excerpt:
“Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.
The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible. For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.
Among the most potentially serious was CVE-2019-0626, a remote code execution vulnerability in the Windows Server DHCP component.”
—–

Here are this week’s noteworthy security bulletins:

1) ASB-2019.0054 – [Win] Windows: Multiple vulnerabilities
     Microsoft patches 32 vulnerabilities for windows desktop and windows server.

2) ASB-2019.0055 – [Win][UNIX/Linux] Mozilla Firefox and Firefox ESR: Multiple vulnerabilities
     Mozilla patches 3 new vulnerabilities in Firefox/ESR.
   
3) ESB-2019.0436 – [Linux][Ubuntu] snapd: Root compromise – Existing account
     A privilege escalation exploit in Linux, named dirty_sock.
   
4) ESB-2019.0438 – [Win][Linux][OSX] Adobe Flash Player: Access confidential data – Remote with user interaction
     An Adobe Flash Player information disclosure vulnerability affecting Windows, Linux, OSX and Chrome OS.

Stay safe, stay patched and have a great weekend,

Rameez Agnew