10 May 2019

Week in review

AUSCERT Week in Review for 10th May 2019

AUSCERT Week in Review
10 May 2019

Greetings,

The week kicked off with a certificate chain issue in Firefox, resulting in
add-ons being disabled and prevented new add-ons being installed. Mozilla
promptly released a hotfix and have now corrected the issue in Firefox
66.0.5 for Desktop and Android, and Firefox ESR 60.6.3.

This week Red Hat released RHEL 8, so we’ve already started publishing those
bulletins for the early adopters.

Finally to round out the week, an issue was found in the official Alpine Linux
Docker images. Since Dec 2015, a NULL password was set for the root account.
Alpine Linux is popular for creating small linux containers. Users should
explicitly disable the root account for containers using the affected Docker
images.

Here’s a summary (including excerpts) of some of the more interesting
stories we’ve seen this week:

Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782
Published: May 8th, 2019
Author: Cisco Talos

“Versions of the Official Alpine Linux Docker images (since v3.3) contain a
NULL password for the root user. This vulnerability appears to be the result
of a regression introduced in December 2015. Due to the nature of this issue,
systems deployed using affected versions of the Alpine Linux container that
utilize Linux PAM, or some other mechanism that uses the system shadow file
as an authentication database, may accept a NULL password for the root user.”

—–

Add-ons disabled or failing to install in Firefox
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
Published: May 4th, 2019
Author: Kev Needham

“Late on Friday May 3rd, we became aware of an issue with Firefox that
prevented existing and new add-ons from running or being installed. We
are very sorry for the inconvenience caused to people who use Firefox.”

—–

CIA sets up shop on the anonymous, encrypted Tor network
https://www.cnet.com/news/cia-sets-up-shop-on-the-anonymous-encrypted-tor-network/
Published: May 7th, 2019
Author: Justin Jaffe

“The CIA’s global mission requires that “individuals can access us securely
from anywhere,” the intelligence agency said in a press release. “Creating
an onion site is just one of many ways we’re going where people are.”

The onion site (Tor address) features secure links for reporting information
and applying for a job, and will mirror all of the content currently
available at www.cia.gov.”

—–

How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks
https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html
Published: May 6th, 2019
Author: Nicole Perlroth, David E. Sanger and Scott Shane

“Chinese intelligence agents acquired National Security Agency hacking
tools and repurposed them in 2016 to attack American allies and private
companies in Europe and Asia, a leading cybersecurity firm has discovered.”

—–

AusPost builds tool to plug cloud security gaps in 30 seconds
https://www.itnews.com.au/news/auspost-builds-tool-to-plug-cloud-security-gaps-in-30-seconds-524841
Published: May 9th, 2019
Author: Justin Hendry

“In addition to improved security coverage across its cloud landscape, the
government-owned corporation with Australia’s largest retail footprint
has seen a significant reduction in remediation time since since rolling
out the solution.

“We’re talking about 30 to 45 seconds to remediate a particular
condition, and that is magnitudes better than what we’d be able to
achieve if we were using a more traditional approach” “

—–

Here are this week’s noteworthy security bulletins:

1) ASB-2019.0136 – Alpine Linux Docker Image: Root compromise –
Remote/unauthenticated
https://portal.auscert.org.au/bulletins/80582

“Versions of the Official Alpine Linux Docker images (since v3.3) contain
a NULL password for the root user. Due to the nature of this issue, systems
deployed using affected versions of the Alpine Linux container that utilize
Linux PAM, or some other mechanism that uses the system shadow file as an
authentication database, may accept a NULL password for the root user.”

2) ESB-2019.1642 – [Linux] Gemalto DS3 Authentication Server / Ezio Server:
Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/80614

“SEC Consult identified multiple vulnerabilities within the DS3
Authentication Server (now called Gemalto Ezio Server, part of the Thales
Group) which can be chained together to allow a low-privileged application
user to upload a JSP web shell with the access rights of a low privileged
Linux system user.”

3) ASB-2019.0135 – [Android] Android: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/80398

“Multiple security vulnerabilities have been identified in the Android
operating system prior to the 2019-05-05 patch level.”

4) ESB-2019.1589 – [Win][UNIX/Linux][Debian] firefox-esr: Reduced security
– Remote/unauthenticated
https://portal.auscert.org.au/bulletins/80394

“We’ve released Firefox 66.0.5 for Desktop and Android, and Firefox
ESR 60.6.3,
which include the permanent fix for re-enabling add-ons that were disabled
starting on May 3rd. The initial, temporary fix that was deployed May 4th
through the Studies system is replaced by these updates, and we recommend
updating as soon as possible.”

5) ESB-2019.1625 – [SUSE] samba: Create arbitrary files – Existing account
https://portal.auscert.org.au/bulletins/80542

“SUSE has patched a flaw in the way samba implemented an RPC endpoint
emulating the Windows registry service API. An unprivileged attacker could
use this flaw to create a new registry hive file anywhere they have unix
permissions which could lead to creation of a new file in the Samba share.”

Stay safe, stay patched and have a good weekend!

Charelle.