AusCERT Week in Review for 6th April 2018 6 Apr 2018


AusCERT Week in Review
6 April 2018

Greetings,

As Friday the 6th of April closes, kernel updates and Spectre Meltdown patches looks to be an ongoing source of bulletins.  On the note of patches, it seems that Easter was the time of giving, with PSIRTs providing all their Easter gifts over the long weekend, resulting in a solid volume of bulletins this week.
At least the onslaught of patches was expected, of sorts, and an impact that is expected loses most of its sting.
Perhaps this is the same for EU's GDPR and the expected impact of businesses dealing with Europe.  It could be that the implementation of the Privacy Act Amendment here in Australia may have provided the impetus for concerned companies about assessing their processes and risks in using and storing private information.

As for news, here's a summary (including excerpts) of some of the more interesting stories we've seen this week:

-------

Title:   Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed
URL:    http://www.theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/
Date:   4th April 2018
Author: Simon Sharwood

Excerpt:
"Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities.

The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. "Stopped" indicates there will be no microcode patch to kill off Meltdown and Spectre."

-------

Title:  The EU's General Data Protection Regulation, explained
URL:    https://www.cnet.com/how-to/gdpr-eu-general-data-protection-regulation-explained/
Date:   4th April 2018
Author: Justin Jaffe

Excerpt:
"The European Union is raising the standards -- and stakes -- of personal data privacy. In May 2018, the General Data Protection Regulation (GDPR), will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. That means you, Facebook."

-------

Title:   GDPR is Not a Ticking Timebomb for Huge Fines
URL:     https://www.infosecurity-magazine.com/opinions/gdpr-timebomb-huge-fines/
Date:    5th April 2018
Author:  Jason Coggins

Excerpt:
"One of the biggest misconceptions that organizations have is that if an incident occurs then you will automatically be faced with a fine. I was reading a blog written by Elizabeth Denham of the ICO recently, and she made the point that fines are a last resort. The point of GDPR is to ensure fair and proportionate (proportionate being the operative word here) action is taken against those that fail to meet the agreed standards. There are warnings, recommendations and finally fines for those worst-case scenarios."

-------

Title:  Facebook: It wasn’t 50M hit by Cambridge Analytica breach, but rather 87M
URL:    https://arstechnica.com/tech-policy/2018/04/facebook-now-says-87-million-people-affected-by-cambridge-analytica-breach/
Date:   5th April 2018
Author: Cyrus Farivar and Sean Gallagher

Excerpt:
"At the end of a lengthy piece, authored by Facebook CTO Mike Schroepfer, the company said simply: "In total, we believe the Facebook information of up to 87 million people—mostly in the US—may have been improperly shared with Cambridge Analytica."

Last month, the British data analytics contractor which worked with Donald Trump's presidential campaign retained private data from 50 million Facebook users despite claiming to have deleted it. The scandal has spawned numerous lawsuits, and it has put significant pressure on Cambridge Analytica and Facebook."

-------

Title:  CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV
URL:    https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/
Date:   4th April 2018
Author: Lawrence Abrams

Excerpt:
"Windows has a built-in program called CertUtil, which can  be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows.

One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax "certutil.exe -urlcache -split -f [URL] output.file"."
-------

Title:  Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront Experiment
URL:    https://www.bleepingcomputer.com/news/security/researchers-hijack-over-2-000-subdomains-from-legitimate-sites-in-cloudfront-experiment/
Date:   5th April 2018
Author: Catalin Cimpanu

Excerpt:
"Experts found that CloudFront's CDN routing mechanism that linked a site's domain and subdomains to a specific server contained a flaw that allowed attackers to point misconfigured subdomains to their own endpoint instead, effectively hijacking the subdomain from legitimate CloudFront users."

-------

Here are this week's noteworthy security bulletins (in no particular order):

1.    ASB-2018.0066 - [Win] Microsoft Windows: Administrator compromise - Existing account
https://www.auscert.org.au/bulletins/60506

Windows 7 and 2008 server ulnerable to a Windows Kernel Elevation of Privilege Vulnerability.

2.    ESB-2018.0999 - [Win] Microsoft Malware Protection Engine: Administrator compromise - Remote with user interaction
https://www.auscert.org.au/bulletins/60678

A remote code execution vulnerability patched in the Microsoft Malware Protection Engine.

3.    ESB-2018.0967 - [Mac] High Sierra: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/60546

A malicious application may be able to execute arbitrary code with kernel privileges.

4.    ESB-2018.1040 - [Appliance] Moxa MXview: Access privileged data - Remote/unauthenticated
https://www.auscert.org.au/bulletins/60850

The private key of the web server is able to be read and accessed via an HTTP GET request.

5.    ESB-2018.1042 - [RedHat] python-paramiko: Execute arbitrary code/commands - Remote/unauthenticated
https://www.auscert.org.au/bulletins/60862

A customized SSH client can simply skip the authentication step.

---

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy


« Back to all blog entries