Posts Tagged ‘vulnerable’

Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Tuesday, August 4th, 2015

Summary: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150730-asr1k

Vulnerable Products: All Cisco ASR 1000 Series Aggregation Services Routers models are affected by this vulnerability when running an affected version of Cisco IOS XE Software. This vulnerability does not depend on any specific combination of ESP and Route Processor (RP) installed on the chassis. Any combination of ESP and RP is affected. Products Confirmed Not Vulnerable

Details: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. This vulnerability can be triggered by IPv4 or IPv6 crafted, fragmented packets destined to the device itself. It cannot be triggered by transit traffic. This vulnerability could be repeatedly exploited to cause an extended DoS condition. This vulnerability is documented in Cisco bug ID CSCtd72617 (registered customers only), and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-4291.

Vulnerability Scoring Details Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd72617

– Cisco IOS XE Software Fragmented Packet Denial of Service Vulnerability Calculate the environmental score of CSCtd72617 CVSS Base Score – 7.8 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None None None Complete CVSS Temporal Score – 6.4 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed

Impact

Successful exploitation of this vulnerability may cause a crash of the ESP processing the packet, resulting in a DoS condition. Repeated exploitation could result in an extended DoS condition.

Software Versions and Fixes When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. This vulnerability has been fixed in the following Cisco IOS XE Software versions:

Cisco IOS XE Software Train First Fixed Release 2.1 Vulnerable;

migrate to 2.5.1 or later.

(1) 2.2 Vulnerable; migrate to 2.5.1 or later.

(1) 2.3 Vulnerable; migrate to 2.5.1 or later.

(1) 2.4 2.4.3 (1) 2.5 2.5.1 (1)

Source: Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

600TB MongoDB Database ‘accidentally’ exposed on the Internet

Monday, July 27th, 2015

This huge MongoDB database isn’t exposed due to a flaw in its latest version of the software, but due to the use of out-of-date and unpatched versions of the platform that fail to bind to localhost.

While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.

“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.

The security issue was first reported as a critical vulnerability back in February of 2012 by Roman Shtylman, but it took MongoDB developers a bit more than two years to rectify this security flaw.

Affected, outdated versions of MongoDB database do not have a ‘bind_ip 127.0.0.1′ option set in the mongodb.conf, potentially leaving users’ server vulnerable if they are not aware of this setting.

According to Shtylman, “The default should be to lockdown as much as possible and only expose if the user requests it.”

Affected Versions

Earlier instances of version 2.6 appeared to have been affected, significantly putting users of MongoDB database version 2.4.9 and 2.4.10, followed by 2.6.7, at risk.

Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.

“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.

Affected users are recommended to immediately switch to the latest versions as soon as possible.

This isn’t first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet.

via 600TB MongoDB Database ‘accidentally’ exposed on the Internet.

InfoSec Diary – Putty 0.64 released last week with New Features!

Thursday, March 5th, 2015

Putty 0.64 released last week (sorry, we missed it) – private-key-not-wiped-2 and diffie-hellman-range-check security issues resolved.

These features are new in beta 0.64 (released 2015-02-28):

  • Security fix: PuTTY no longer retains the private half of users’ keys in memory by mistake after authenticating with them. See private-key-not-wiped-2. (Sorry! We thought we’d fixed that in 0.63, but missed one.)
  • Support for SSH connection sharing, so that multiple instances of PuTTY to the same host can share a single SSH connection instead of all having to log in independently.
  • Command-line and configuration option to specify the expected host key(s).
  • Defaults change: PuTTY now defaults to SSH-2 only, instead of its previous default of SSH-2 preferred.
  • Local socket errors in port-forwarded connections are now recorded in the PuTTY Event Log.
  • Bug fix: repeat key exchanges in the middle of an SSH session now never cause an annoying interactive host key prompt.
  • Bug fix: reset the bolded-text default setting back to what it used to be. (0.63 set it to something wrong, as a side effect of refactoring.)
  • Bug fix: IPv6 literals are handled sensibly throughout the suite, if you enclose them in square brackets to prevent the colons being mistaken for a :port suffix.
  • Bug fix: IPv6 dynamic port forwardings should work again.

See http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

via InfoSec Handlers Diary Blog – Putty 0.64 released last week (sorry, we missed it) – private-key-not-wiped-2 and diffie-hellman-range-check security issues resolved. See http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.

What is Freak? Security bug affects hundreds of millions of iPhone, iPad and Android users

Wednesday, March 4th, 2015

Researchers have uncovered the latest vulnerability in the way our data is protected online, with the Freak bug potentially putting hundreds of millions of smartphone and tablet users at risk.

The bug, which affects HTTPS encrypted communication online, has been around for decades, but was only uncovered on 3 March, 2015. If exploited the bug could give hackers access to your personal data including login details and evening banking information.

Here, we break down just what Freak is, how it works, and who is vulnerable:

What is Freak?

Freak is the latest security flaw to be discovered in the cryptographic protocols which are used to encrypt your online communications – known as SSL and TLS.

The vulnerability is in particular found in OpenSSL, the same protocol which was at the centre of the Heartbleed controversy last year.

Who discovered it?

The vulnerability, which has been around since the 1990s, was only discovered on Tuesday, 3 March by researchers at the French Institute for Research in Computer Science and Automation, Microsoft Research and IMDEA.

Why has Freak been around for so long?

The problem dates back to the early 1990s when the US government decided that it wanted to weaken the encryption standards on products being shipped overseas by US companies.

It required the companies to downgrade the encryption being used from strong RSA grade encryption to “export-grade” encryption. At the time this “export-grade” encryption was still relatively strong, requiring a supercomputer to be able to crack the 512-bit encryption key, meaning only the US government were likely to be able to exploit the vulnerability.

However with the rapid advance in computing, this is no longer the case, and with access to huge computing power through the likes of Amazon’s cloud computing service AWS, anyone could potentially exploit the Freak bug.

As renowned cryptographer Matthew Green says:

The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today. Encryption backdoors will always turn around and bite you in the ass. They are never worth it.

Who is vulnerable to a Freak attack?

iPhone 6 Review
The Safari browser on Apple’s iPhones and iPads is vulnerable to attack(IBTimes UK)

According to the researchers on the user side, Apple’s Safari web browser on its iPhone, iPad and Mac devices is vulnerable as well as almost all versions of Android as Google uses the OpenSSL protocol in its mobile operating system. That means that potentially hundreds of millions of people are at risk.

The Chrome desktop browser, Microsoft’s Internet Explorer or Mozilla’s Firefox are not vulnerable.

On the server side, according to researchers, just shy of 10% of the internet’s top million websites are vulnerable. This is down from 12.2% on Tuesday, meaning that website administrators seem to be fixing the problem.

There are however still many major websites including banking, media and government sites which are affected. These include the websites of American Express, Business Insider, Bloomberg, the Marriot hotel group and indeed IBTimes UK.

The list previously included the FBI’s website for anonymous informants, but this is no longer vulnerable it would seem. However the whitehouse.gov website remains vulnerable.

The full list can be found here.

 

via What is Freak? Security bug affects hundreds of millions of iPhone, iPad and Android users.

Worst passwords of 2014 are just as terrible as you’d think

Tuesday, January 20th, 2015

weak-password-dragon

If the onset of high-profile hackings taught us anything in 2014, it’s absolutely nothing.

Password management firm SplashData released its annual list of the worst passwords of the year and it’s just as dreadful as you’d think. The company, which analyzed the 3 million passwords leaked online last year, revealed that the most common leaked password in 2014 was “123456,” followed by “password” — both topped the list last year, too.

Of course, the more common a password is the higher the chances a hacker can get into personal accounts, like email and banking.

While number sequences were as popular as ever, sports terms like “baseball” and “football” were used more often, as well as words related to favorite sports teams — “yankees,” “eagles,” “steelers,” “rangers” and “lakers” all made the top 100.

Birthday years were common too (especially 1989, 1990, 1991 and 1992) and names like “Michael,” “Jennifer,” “Michelle” and “Hunter” are also among the top 100 worst passwords of 2014.

Here’s a look at the top 25 passwords of the year:

1. 123456 (Unchanged from 2013)

2. password (Unchanged)

3. 12345 (Up 17)

4. 12345678 (Down 1)

5. qwerty (Down 1)

6. 234567890 (Unchanged)

7. 1234 (Up 9)

8. baseball (New)

9. dragon (New)

10. football (New)

11. 1234567 (Down 4)

12. monkey (Up 5)

13. letmein (Up 1)

14. abc123 (Down 9)

15. 111111 (Down 8)

16. mustang (New)

17. access (New)

18. shadow (Unchanged)

19. master (New)

20. michael (New)

21. superman (New)

22. 696969 (New)

23. 123123 (Down 12)

24. batman (New)

25. trustno1 (Down 1)

The list is particularly scary as it comes on the heels of major hacking attacks against companies like Sony Pictures and the celebrity nude photo scandal that hit last year.

This year’s worst passwords are painfully weak, but what were once considered clever password strategies — using symbols, capitalizations, the number 3 in place of the letter “e” — are old tricks.

This year’s worst passwords are painfully weak, but what were once considered clever password strategies — using symbols, capitalizations, the number 3 in place of the letter “e” — are old tricks. As a refresher, it’s now recommended to pick a different password for each account you use — you wouldn’t use the same key in all of your locks, and the same goes for passwords.

Another tip to remember is that passwords should be 14 characters long and you should avoid words with personal information, like your birthday and favorite color. Scatter numbers and symbols throughout your password (don’t just tack them onto the end) and pick word combinations that aren’t related (e.g. something like “catfoldersspaceshuttle” and not “icameisawiconquered”).

Companies like Gmail, Facebook, Twitter and Apple are now trying to make hacking more difficult on their services by offering two-factor authentication, which is basically like double locking your door at night. Each time you want to log into that account, the company will send a code to your phone — it changes after each login attempt, so hackers would have to be in physical possession of your smartphone to know the code.

via Worst passwords of 2014 are just as terrible as you’d think.

InfoSec Alert!!! Critical #NTP Vulnerability in ntpd prior to 4.2.8

Tuesday, December 23rd, 2014

The Google security team discovered several vulnerabilities in current NTP implementations, one of which can lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected.

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible.

Mitigating Circumstances:

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at ntp.org, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey.

[1] http://www.kb.cert.org/vuls/id/852879

[2] http://support.ntp.org/bin/view/Main/SecurityNotice

CVE Impact Details

CVE-2014-9293 authentication ntp will create a weak key if none is provided in the configuration file.

CVE-2014-9294 authentication ntp-keygen uses a weak seed to create random keys

CVE-2014-9295 remote code execution A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

CVE-2014-9296 missing error message In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.

via InfoSec Handlers Diary Blog – Critical #NTP Vulnerability in ntpd prior to 4.2.8.

Critical Git Client vulnerability Allows Malicious Remote Code Execution

Monday, December 22nd, 2014

Developers running the open source Git code-repository software and tools, like GitHub, on Mac OS X and Windows computers are highly being recommended to install a security update that patches a major security vulnerability in Git clients that leverages an attacker to hijack end-user computers.

The critical Git vulnerability affects all versions of the official Git client and all the related software that interacts with Git repositories, including GitHub for Windows and Mac OS X, according to a GitHub advisory published Thursday.

HOW GIT BUG WORKS

The vulnerability allows an attacker to execute remote code on a client’s computer when the client software accesses Git repositories. The GitHub engineering team gave a detailed explanation on how attackers might exploit the vulnerability:

“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” Thursday’s advisory warned. “Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive file system.”

via Critical Git Client vulnerability Allows Malicious Remote Code Execution – Hacker News.

Router Vulnerability Puts 12 Million Home and Business Routers at Risk!

Monday, December 22nd, 2014

More than 12 million routers in homes and businesses around the world are vulnerable to a critical software bug that can be exploited by hackers to remotely monitor users’ traffic and take administrative control over the devices, from a variety of different manufacturers.The critical vulnerability actually resides in web server “RomPager” made by a company known as AllegroSoft, which is typically embedded into the firmware of router , modems and other “gateway devices” from about every leading manufacturer.

The HTTP server provides the web-based user-friendly interface for configuring the products.Researchers at the security software company Check Point have discovered that the RomPager versions prior to 4.34 — software more than 10 years old — are vulnerable to a critical bug, dubbed as Misfortune Cookie. The flaw named as Misfortune Cookie because it allows attackers to control the “fortune” of an HTTP request by manipulating cookies.HOW MISFORTUNE COOKIE FLAW WORKSThe vulnerability, tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database, can be exploited by sending a single specifically crafted request to the affected RomPager server that would corrupt the gateway device’s memory, giving the hacker administrative control over it. Using which, the attacker can target any other device on that network.

“Attackers can send specially crafted HTTP cookies [to the gateway] that exploit the vulnerability to corrupt memory and alter the application and system state,” said Shahar Tal, malware and vulnerability research manager with Check Point. “This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.Once attackers gain the control of the device, they could monitor victims’ web browsing, read plaintext traffic traveling over the device, change sensitive DNS settings, steal account passwords and sensitive data, and monitor or control Webcams, computers, or other network connected devices.

MAJOR ROUTERS & GATEWAY BRANDS VULNERABLEAt least 200 different models of gateway devices, or small office/home office SOHO routers from various manufacturers and brands are vulnerable to Misfortune Cookie, including kit from D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

via Router Vulnerability Puts 12 Million Home and Business Routers at Risk – Hacker News.

Wget FTP Symlink Attack Vulnerability | Sans

Monday, November 3rd, 2014

 

CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

CVE-2014-4877: Wget FTP Symlink Attack VulnerabilityThe open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.When a recursive directory fetch over FTP server as the target, it would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw.IMPACT OF SYMLINK ATTACK “It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable although not by default on OS X machines as well, so needs a patch as soon as possible.PATCH AVAILABLE “This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys,” Moore wrote.The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks. “Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch,” Moore said.

via CVE-2014-4877: Wget FTP Symlink Attack Vulnerability.

Multiple Cisco Wireless Gateways Vulnerable to Remote Attacks

Monday, July 21st, 2014

ultiple Cisco Wireless Residential Gateway products have a security vulnerability in the web server that could allow a remote attacker to hijack the devices remotely.

Cisco announced that a number of its Wireless Residential Gateway products are vulnerable to a remote-code execution attack, which is exploited by sending a specially crafted HTTP request to the web server running on the affected device.

According to Cisco, the flaw is due to the incorrect input validation for HTTP requests, which could allow an attacker to exploit a buffer overflow and run arbitrary code on the device. The bug is about as serious as they come, giving remote, unauthenticated attackers access to the affected machines.

“Successful exploitation of the vulnerability may cause the embedded web server to crash and allow the attacker to inject arbitrary commands and execute arbitrary code with elevated privileges,” the Cisco advisory says, and until now, “There are currently no known workarounds available for this vulnerability.”

The Cisco products affected by the vulnerability are as follows:

Cisco DPC3212 VoIP Cable Modem

Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway

Cisco EPC3212 VoIP Cable Modem

Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway

Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem

Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA

Cisco Model EPC3010 DOCSIS 3.0 Cable Modem

Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Cisco said the security bug exists in the devices whether they are configured in a Gateway mode or Router mode on home or small office gateways.

Cisco uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. This vulnerability received a most critical rating according to its CVSS i.e. base score 10. The vulnerability was reported by Chris Watts of Tech Analysis to Cisco.

Cisco has released and distributed free software updates to its service provider customers that address the vulnerability, the service providers would further pass-on to the affected home and small office customers. The customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix.

via Multiple Cisco Wireless Gateways Vulnerable to Remote Attacks.