18 Oct 2019

Week in review

AUSCERT Week in Review for 18th October 2019

Greetings,

This week we saw Oracle release its quarterly “Critical Patch Updates,
Alerts and Bulletins”. Numerous vulnerabilities and patches were reported
in their broad range of products, that will need to be managed. We can
expect many other vendors to release patches over the next few weeks for
their products which might be built around Oracle technologies including
databases and Java products.

Please refer to our webpage for details of upcoming events – hosted both
by AUSCERT as well as other industry groups:
https://wordpress-admin.auscert.org.au/resources/events/

Here’s a summary (including excerpts) of some of the more interesting
stories we’ve seen this week:

Title: Germany’s cyber-security agency recommends Firefox as most secure browser
https://www.zdnet.com/article/germanys-cyber-security-agency-recommends-firefox-as-most-secure-browser/
Author: Catalin Cimpanu
Date: 17 October 2019
Excerpt:
“Germany’s BSI tested Firefox, Chrome, IE, and Edge. Firefox was only
browser to pass all minimum requirements for mandatory security features.”

Title: Sudo? More like Su-doh: There’s a fun bug that gives restricted
sudoers root access (if your config is non-standard)
https://www.theregister.co.uk/2019/10/14/linux_sudo_security_bug/
Author: Chris Williams
Date: 14 October 2019
Excerpt:
“Linux users who are able to run commands as other users, via the sudoer
mechanism, though not as the all-powerful root user, can still run commands
as root, thanks to a fascinating coding screw-up.”

Title: MacGibbon joins local cyber security push to challenge multinationals
https://www.itnews.com.au/news/macgibbon-joins-local-cyber-security-push-to-challenge-multinationals-532376/
Author: Justin Hendry
Date: 15 October 2019
Excerpt:
“Two of Australia’s most high-profile IT executives have joined forces
to form the nation’s largest dedicated cyber security company, a move
that directly challenges the dominance of large US-affiliated vendors in
securing key contracts with major corporates and government.”

Title: ATO phone scammers turn up at Adelaide man’s house dressed as police with eftpos machine
https://www.abc.net.au/news/2019-10-15/ato-scammers-turn-up-at-house-with-eftpos-machine/11603144/
Author: Eugene Boisvert
Date: 16 October 2019
Excerpt:
“Two men turned up to another man’s house with an eftpos machine demanding
money after earlier calling him pretending to be from the Australian
Taxation Office (ATO), according to SA Police.”

Title: Planting tiny spy chips in hardware can cost as little as $200
https://arstechnica.com/information-technology/2019/10/planting-tiny-spy-chips-in-hardware-can-cost-as-little-as-200/
Author: Andy Greenberg
Date: 13 October 2019
Excerpt:
“Proof-of-concept shows how easy it may be to hide malicious chips inside
IT equipment.”

Here are some of this week’s noteworthy security bulletins (in no particular
order):

ESB-2019.3826 – [UNIX/Linux][Ubuntu] sudo: Root compromise – Existing account
https://portal.auscert.org.au/bulletins/ESB-2019.3826/
– See article above for discussion of issue.

ASB-2019.0294 – [Win][UNIX/Linux] Oracle Java SE: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/ASB-2019.0294/
– One of the outputs from Oracle’s CPU this week.

ESB-2019.3835 – [SUSE] linux kernel: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/ESB-2019.3835/
– Another root compromise vulnerability.

ESB-2019.3881 – [Cisco] Cisco Identity Services Engine: Multiple
vulnerabilities
https://portal.auscert.org.au/bulletins/ESB-2019.3881/
– Cisco had a big week too reporting vulnerabilities and patches, this is
one of those.

ESB-2019.3861 – [Win][Mac] Acrobat and Reader: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/ESB-2019.3861/
– 68 CVEs reported!

Stay safe, stay patched and have a great weekend,
Marcus.