AusCERT Week in Review for 26th April 2013

Date: 26 April 2013 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=17437 Greetings, "May you live in interesting times" has been referred to as a Chinese curse. It can also be understood as "May you experience much disorder and trouble in your life". It would be fair to say that information security is living in very interesting times at the moment. In our experience, it is an unfortunate reality that many WordPress users struggle to patch their installations. Well know vulnerabilities are then exploited often on mass via scripting and then what was an innocent WordPress site becomes a host for bank phishing, to deliver malware or perform other forms of online nastiness. Due to their large number and varying quality, AusCERT don't publish bulletins for WordPress plug-ins, but this week we saw the very popular WP Super Cache and W3 Total Cache plug-ins have a very serious vulnerability highlighted: the remote xecution of PHP code. Updates are available for both plug-ins. If you use them, stop reading this review now and apply the updates! In the wider view, if you run a content management system like WordPress, Joomla or Drupal, be mindful not just of keeping the core CMS patched, but also the plug-ins. In many cases the plug-ins can do just as much evil via a vulnerability as the core system itself, and in many cases it may not be written or maintained as well as the core code. Take care in the selection of the CMS plug-ins you choose, and if you don't really need them, uninstall them. Matthew Flannery, a 24 year old Point Clare man who is alleged to be the leader of the well known hacking group lulzsec has been arrested by the Australian Federal Police charged with two offences against the Criminal Code Act. He is a support technician at IT security provider Content Security, which was contracted to provide support for global security firm Tenable Network Security. Flannery would keep his position within the company until investigations advance further. With Distributed Denial of Service attacks increasing in strength and frequency, the publication of "How to Report a DDoS Attack" by the ICANN Security Team is very timely. If you manage any Information Technology infrastructure that you care about, then take the time to read this blog post as it covers many of the key important points. What to do and whom to call when under attack, where to turn for help and tips on providing good information related to the attack are covered. Best of all mitigation guidance is provided in a collection of linked documents. This is the kind of reading that any good Sysadmin will benefit from. We're happy to announce to AusCERT members, that the Quarterly Trend Report for March 2013 is available for your viewing pleasure. So if you've not already attended to them, here are my top 5 patches/actions for the week: 1) ESB-2013.0582.2 - UPDATE [Cisco] Cisco NX-OS: Multiple vulnerabilities Having your switches and routers vulnerable to unauthenticated remote code execution and denial of service is never nice. Patch now! 2) ESB-2013.0507.2 - UPDATE [Win] Microsoft Windows: Multiple vulnerabilities This is the patch to fix the patch for Windows 7 and Server 2008. Kaspersky anti-virus and other software that didn't play nice with the previous revision should be happier with this one. 3) ESB-2013.0575 - [Cisco] Cisco ASA and FWSM: Unauthorised access - Remote/unauthenticated Having and unauthenticated remote attacker to bypass access lists is not good. Especially when the device in question is a firewall or security appliance. 4) ESB-2013.0572 - [RedHat] kernel: Multiple vulnerabilities While an existing account is needed to exploit these vulnerabilities, don't take chances with the kernel - patch it. 5) ESB-2013.0581 - [Win][Cisco] Cisco Device Manager: Execute arbitrary code/commands - Remote/unauthenticated Remote code execution, especially when unauthenticated is not nice. Patch to avoid it being exploited. Stay safe, Marco