AusCERT Week in Review for 22nd June 2018

AusCERT Week in Review for 22nd June 2018

AusCERT Week in Review
22 June 2018

Greetings,

As Friday 22nd June comes to a close, I’d like to bring your attention to an old read from 1996, but a good read titled “Smashing The Stack For Fun And Profit” [1].  Why bring to light this 1996 classic? Well, because it highlights that it is hard to wipe out a class of vulnerability.  Even, 22 years on, and a whole lot of smart people at the problem, with today’s automatic code checking, and secure coding frameworks, classes of vulnerabilities still get through to production.  Also, the time between a fix being available and news of it can be weeks. For example, Firefox was out with a release on the 6th June with [mfsa2018-14] and it seem to only make general news this week on Monday 18th June.  Surely nothing bad could really happen in a couple of weeks.
Yes, incidents will happen and a function in an organisation that has its fingers on the pulse of these incidents, that can analyse the depth of the impact can be a worthwhile investment in cyber security.
Incidents could be just a wake-up call, with port 8000 being suddenly and unusually requested “en masse”.  Could that function be able to find the relationship of those port requests with the “XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit” and then check if it reached any exposed IoT in the organisation, with the vulnerable code.
Sounds simple but the difficulty is in the detail. Just drop the words “Vulnerability Management” around the work place and look for the reaction.  Perhaps, you only need to fine tune your VM SOPs by adding a task of digesting some industry news and perhaps some advisories of the week.  Enjoy.  

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

——-

Title:  Google Developer Discovers a Critical Bug in Modern Web Browsers
URL:  https://thehackernews.com/2018/06/browser-cross-origin-vulnerability.html
Date:  20th June 2018
Author: Mohit Kumar

Excerpt:
“Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.”

——-

Title:  Botnets never Die, Satori REFUSES to Fade Away
URL:    http://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/
Date:   15th June 2018
Author: NetLab

Excerpt:
“Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 “

——-

Title:  Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
URL:    https://thehackernews.com/2018/06/apple-macos-quicklook.html
Date:   18th June 2018
Author: Swati Khandelwal

Excerpt:
“Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.”

——-

Title:  SamSam ransomware: controlled distribution for an elusive malware
URL:    https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/
Date:   19th June 2018
Author: Malwarebytes Labs

Excerpt:
“SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.”

——-

Title:  All That Port 8000 Traffic This Week! Yeah, That’s Satori Looking for New Bots
URL:    https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/
Date:   15th June 2018
Author: Catalin Cimpanu

Excerpt:
“The PoC code was for a buffer overflow vulnerability (CVE-2018-10088) in XionMai uc-httpd 1.0.0, a lightweight web server package often found embedded inside the firmware of routers and IoT equipment sold by some Chinese vendors.
The exploit allows an attacker to send a malformed package via ports 80 or 8000 and execute code on the device, effectively taking it over.”

——-

Title:  Firefox fixes critical buffer overflow
URL:    https://nakedsecurity.sophos.com/2018/06/18/firefox-fixes-critical-buffer-overflow/
Date:   18th June 2018
Author: Maria Varmazis

Excerpt:
“Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.”

——-

Title:  Google’s Newest Feature: Find My Home
URL:    https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/#.WyfDEMLoy-g.twitter
Date:   18th June 2018
Author: Craig Young

Excerpt:
“Despite all of these efforts to thwart unwanted online tracking, it turns out that our connected gadgets may not only uniquely identify us but, in some cases, they can reveal precise physical locations. In this blog post, I will reveal a new attack against Google Home and Chromecast devices that does exactly that.”

——-

Here are this week’s noteworthy security bulletins (in no particular order):

1.    ESB-2018.1810 – ALERT [Cisco] Cisco NX-OS: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/64198
CVE-2018-0313 A successful exploit could allow the attacker to execute arbitrary commands with root privileges.

2.    ESB-2018.1809 – ALERT [Cisco] Cisco FXOS and Cisco NX-OS: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/64194
CVE-2018-0304 …which could allow the attacker to read sensitive memory content, create a DoS condition, or execute arbitrary code as root.

3.    ESB-2018.1836 – [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server: Multiple vulnerabilities    
https://www.auscert.org.au/bulletins/64302
CVE-2014-0114 …to manipulate the ClassLoader and execute arbitrary code on the system.

4.    ESB-2018.1834 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/64294
CVE-2018-12581 …attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin.

5.    ESB-2018.1829 – [Win] Delta Industrial Automation COMMGR: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/64274
CVE-2018-10594 This may allow remote code execution, cause the application to crash, or result in a denial-of-service condition in the application server.

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy

P.S. Just as an exercise, of the bulletins AusCERT processed this week, it may be instructive to count how many of them hints at the 1996 technique.