Out-of-band Drupal security updates fix bugs with known exploits

Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

CVE-2020-28948 CVE-2020-28949

The vulnerabilities (CVE-2020-28948, CVE-2020-28949)

CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP.

“(The) vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them,” the Drupal Security Team explained. Thus, preventing untrusted users from uploading these types of files serves as mitigation.

But, as the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75 (depending on which branch they use).

The “known exploits” the Drupal team referenced can be found here.

They also pointed out that these newly patched vulnerabilities aren’t connected to some of those patched nearly a year ago, though “similar configuration changes may mitigate the problem until you are able to patch.”

This is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability (CVE-2020-13671) that could have been triggered by malicious files with a double extension.

Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs

Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.

Cisco Security Manager vulnerabilities

Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.

About the Cisco Security Manager vulnerabilities

Cisco Security Manager is a security management application that provides insight into and control of Cisco security and network devices deployed by enterprises – security appliances, intrusion prevention systems, firewalls, routers, switches, etc.

Cisco has fixed two vulnerabilities affecting Cisco Security Manager v4.21 and earlier, by pushing out v4.22:

  • CVE-2020-27130, a critical path traversal vulnerability that could be exploited by sending a crafted request to the affected device and could result in the attacker downloading arbitrary files from it
  • CVE-2020-27125, which could allow an attacker to view static credentials in the solution’s source code

Cisco has also simultaneously announced that it will fix multiple Java deserialization vulnerabilities (collectively designated as CVE-2020-27131) in the upcoming v4.23 of the Cisco Security Manager solution. Those could allow unauthenticated, remote attackers to execute arbitrary commands on an affected instance and could be triggered by sending a malicious serialized Java object to a specific listener on an affected system.

The company’s Product Security Incident Response Team (PSIRT) has noted that public announcements about all these vulnerabilities are available, but that they are “not aware” of instances of actual malicious use in the wild.

The public announcements they are referring to is a post on Gist, a pastebin service operated by GitHub, through which Hauser shared PoCs for the flaws he discovered and flagged.

Git LFS vulnerability allows attackers to compromise targets’ Windows systems (CVE-2020-27955)

A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered.

CVE-2020-27955

It can be exploited in a variety of popular Git clients in their default configuration – GitHub CLI, GitHub Desktop, SmartGit, SourceTree, GitKraken, Visual Studio Code, etc. – and likely other clients/development IDEs (i.e., those install git with the Git LFS extension by default).

“Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability,” Golunski added.

About the vulnerability (CVE-2020-27955)

Golunski found that Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.Command() function.

“As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim’s system (PATHEXT environment dependent), in the main repo’s directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path,” he explained.

The vulnerability can be triggered if the victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.

Golunski says that CVE-2020-27955 is trivial to exploit, and has released PoC exploit code, as well as video demonstrations of the exploit in action on various Git clients.

What to do?

The vulnerability affects Git LFS versions 2.12 or earlier on Windows systems (but not on Unix). According to the Git LFS maintainers, there is no workaround for this issue other than avoiding untrusted repositories.

Affected users and product vendors are advised to update to the latest Git LFS version (v2.12.1, released on Wednesday), which plugged the security hole. Git for Windows has also been updated to include this Git LFS version.

Google discloses actively exploited Windows zero-day (CVE-2020-17087)

Google researchers have made public a Windows kernel zero day vulnerability (CVE-2020-17087) that is being exploited in the wild in tandem with a Google Chrome flaw (CVE-2020-15999) that has been patched on October 20.

CVE-2020-17087

About CVE-2020-17087

CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver, and “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

More technical information has been provided in the Chromium issue tracker entry, which was kept unaccessible to the wider public for the first seven days, but has now been made public.

The researchers have also included PoC exploit code, which has been tested on Windows 10 1903 (64-bit), but they noted that the affected driver (cng.sys) “looks to have been present since at least Windows 7,” meaning that all the other supported Windows versions are probably vulnerable.

Exploitation and patching

Shane Huntley, Director of Google’s Threat Analysis Group (TAG) confirmed that the vulnerability chain is being used for targeted exploitation and that the attacks are “not related to any US election-related targeting.”

The attackers are using the Chrome bug to gain access to the target system and then the CVE-2020-17087 to gain administrator access on it.

A patch for the issue is expected to be released on November 10, as part of the monthly Patch Tuesday effort by Microsoft.

Currently we expect a patch for this issue to be available on November 10.

While the bug is serious, the fact that it’s being used in targeted (and not widespread) attacks should reassure most users they’ll be safe until the patch is released.

Also, according to a Microsoft spokesperson, exploitation of the flaw has only been spotted in conjuction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers (e.g., Opera on October 21, Microsoft Edge on October 22.

Users who have implemented those updates are, therefore, safer still.

Easily exploitable RCE in Oracle WebLogic Server under attack (CVE-2020-14882)

A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned.

CVE-2020-14882

Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.

About the vulnerability (CVE-2020-14882)

CVE-2020-14882 may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.

The vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, and has been patched by Oracle last week.

Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses.

For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.

“The exploit appears to be based on this blog post published in Vietnamese by ‘Jang’,” he added. (The researcher in question has previously flagged several flaws in Oracle’s offerings, though not this one.)

The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending one simple POST request.

A demonstration of the exploit in action is available here.

The PoC exploit was published yesterday, and it didn’t take long for attackers to take advantage of it. Admins are advised to patch vulnerable systems as soon as possible.

Are your domain controllers safe from Zerologon attacks?

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.

CVE-2020-1472

About CVE-2020-1472

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.

“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”

Exploitation

Many PoC exploits have been released security researchers in the past day (1, 2, 3, 4), and the effectiveness of some of them has been confirmed:

Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.

Remediation

Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.

This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.

Potential Apache Struts 2 RCE flaw fixed, PoCs released

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability (CVE-2019-0230) and PoC exploits for it have been published.

CVE-2019-0230

About the vulnerability (CVE-2019-0230)

“CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression,” Tenable researchers explained.

It’s rated as important (i.e., not critical) by the Apache Struts Security Team, but could allow attackers to achieve remote code execution.

“There is still not enough information about the potential impact of this vulnerability under real world conditions, but caution is certainly warranted regarding this flaw,” the researchers noted, especially because PoCs for it have been popping up on GitHub.

Whether they will be useful or not remains to be seen, though.

“It’s important to note that because each Struts application is unique, the actual payload needed to exploit it will differ from application to application. Additionally, the application would need to be developed in such a way that it allows an attacker to supply unvalidated input into an attribute used inside of an OGNL expression,” the researchers explained.

CVE-2019-0230 and CVE-2019-0233 (a DoS bug) affect Apache Struts versions 2.0.0 to 2.5.20. They’ve both been fixed in version 2.5.22, to which admins are urged to upgrade (if they haven’t already).

“We continue to urge developers building upon Struts 2 to not use %{…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities,” René Gielen, Struts Project Management Committee chair, added.

About Apache Struts 2

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.

A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.

A security hole (CVE-2017-563) in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company’s site administrators failed to quickly implement the security update that fixed it.

Other critical vulnerabilities affecting the solution have since been unearthed and PoC exploits released for them (e.g., CVE-2018-11776).

CVE-2017-5638 has recently been listed by the US Cybersecurity and Infrastructure Security Agency as one of the ten most often exploited flaws between 2016 and 2019.

RiskSense also recently pointed out that WordPress and Apache Struts had the most weaponized vulnerabilities.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” RiskSense CEO Srinivas Mukkamala noted.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Exploits for vBulletin zero-day released, attacks are ongoing

The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.

The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:

Several other admins confirmed that they’ve been hit.

Risk mitigation and prevention

Etemadieh explained how he discovered that the patch for CVE-2019-16759 was flawed in a blog post published on Sunday.

It’s a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released (in short, forum admins were advised to temporarily disable PHP widgets).

“Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin,” Tenable research engineer Satnam Narang confirmed .

Internet Brands, the makers of vBulletin, have not been notified of this discovery prior to the publication, so they’ve scrambled to fix the flaw again.

New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain the patch.

“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” they advised, and noted that vBulletin Cloud sites are not affected by this issue.

vBulletin is the most popular internet forum software in use today and also powers many dark web forums. vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP.

Critical ManageEngine ADSelfService Plus RCE flaw patched

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

About ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

About the vulnerability (CVE-2020-11552)

Unearthed and flagged by Bhadresh Patel, CVE-2020-11552 stems from the solution not properly enforcing user privileges associated with Windows Certificate Dialog.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’,” he noted.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:windowssystem32’, acmd.exe can be launched as a SYSTEM.”

Patel also published a PoC exploit video (the exploitation part starts at 5:30):

[embedded content]

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.

Researchers flag two zero-days in Windows Print Spooler

In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More

The post Researchers flag two zero-days in Windows Print Spooler appeared first on Help Net Security.

Attackers are exploiting Cisco ASA/FTD flaw in search for sensitive data

An unauthenticated file read vulnerability (CVE-2020-3452) affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being exploited by attackers in the wild.

CVE-2020-3452

For the moment, it seems that it is being used just to read LUA source files, but it can be used to view files that may contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs.

About the vulnerability (CVE-2020-3452)

CVE-2020-3452 affects the web services interface of Cisco ASA and Cisco FTD software and can be exploited by remote unauthenticated attackers to read sensitive files within the web services file system on the targeted device (but not to obtain access to ASA or FTD system files or underlying operating system files).

“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” Cisco explained.

Devices are vulnerable only if they are running a vulnerable release of the software AND are configured with either WebVPN or AnyConnect features.

The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce. Cisco patched it last week by releasing security updates and hotfixes. Shortly after, Aboul-Ela published a PoC for it:

Cisco confirmed that wxploitation attempts started the day after. Rapid7 scanned the internet-accessible ASA/FTD devices and found 85,000.

“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the ‘uptime’ technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched,” noted Bob Rudis, Chief Data Scientist at Rapid7.

Details and PoC for critical SharePoint RCE flaw released

Last week, a “wormable” remote code execution flaw in the Windows DNS Server service (CVE-2020-1350) temporarily overshadowed all the other flaws patched by Microsoft on July 2020 Patch Tuesday, but CVE-2020-1147, a RCE affecting Microsoft SharePoint, was also singled out as critical and requiring a speedy fix.

CVE-2020-1147

Implementing the offered security updates has since become even more urgent, as more exploitation details and a PoC have been released on Monday.

About CVE-2020-1147

CVE-2020-1147 is found in two .NET components (DataSet and DataTable) used to manage data sets, and affects Microsoft SharePoint, .NET Framework, and Visual Studio.

The vulnerability is triggered when the software fails to check the source markup of XML file input.

“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content,” Microsoft explained, and provided security updates for:

  • .NET Core
  • .NET Framework
  • SharePoint Enterprise Server (2013 and 2016)
  • SharePoint Server (2010 and 2019)
  • Visual Studio (2017 and 2019).

“Full protection requires the installation of the .NET Framework update as well as updates for any additional affected products mentioned in this article,” the company stressed.

The vulnerability was reported by Oleksandr Mirosh from Micro Focus Fortify, Jonathan Birch of Microsoft Office Security Team, and Markus Wulftange of Code White GmbH.

Exploitation potential

Information security specialist and prolific bug hunter Steven Seeley decided to probe how the vulnerability might be exploited and recently shared how it can be leveraged against a SharePoint Server instance to achieve RCE as a low privileged user. He also provided a PoC.

“Microsoft rate this bug with an exploitability index rating of 1 and we agree, meaning you should patch this immediately if you haven’t. It is highly likley that this gadget chain can be used against several applications built with .net so even if you don’t have a SharePoint Server installed, you are still impacted by this bug,” he noted.

The call for immediate patching has been echoed by other security researchers:

Vulnerabilities in Microsoft SharePoint, a web-based collaborative platform that integrates with Microsoft Office and usually houses a lot of sensitive data, have lately been an attractive target for hackers.

Fear the PrintDemon? Upgrade Windows to patch easily exploited flaw

Among the vulnerabilities patched by Microsoft on May 2020 Patch Tuesday is CVE-2020-1048, a “lowly” privilege escalation vulnerability in the Windows Print Spooler service.

CVE-2020-1048

The vulnerability did not initially get much public attention but, as security researchers have since noted, the attackers who deployed Stuxnet ten years ago used a similar one to great effect.

About CVE-2020-1048

CVE-2020-1048, which affects Windows 7, 8.1, and 10 and Windows Server 2008, 2012, 2016, and 2019, arises from the Windows Print Spooler service improperly allowing arbitrary writing to the file system.

“An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.

The vulnerability is not exploitable remotely – an attacker must already have access to the target system (be logged on) to be able to run a specially crafted script or application that will exploit the flaw.

What’s the big deal?

Though researchers Peleg Hadar and Tomer Bar from SafeBreach Labs have been credited with the discovery of CVE-2020-1048, the flaw is one of several Print Spooler issues that researchers Yarden Shafir and Alex Ionescu of Winsider have also discovered around the same time.

“Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4,” Shafir and Ionescu noted, but obviously that’s changing.

Shafir and Alex Ionescu shared more technical details about CVE-2020-1048 and explained how it can be used to elevate privileges, bypass EDR rules, gain persistence, and more. They’ve also released PoC exploit code and dubbed the flaw “PrintDemon”.

The general advice is to implement the patch as soon as possible as, they claim, the flaw is easy to exploit with a single PowerShell command.

While some, like Rapid7 researcher Brendan Watters, dispute the ease of exploitation, there’s no doubt that patching is a good move.

Using Cisco IP phones? Fix these critical vulnerabilities

Cisco has released another batch of fixes for a number of its products. Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations.

Cisco IP phones vulnerabilities

The critical vulnerabilities

Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821. Cisco then tested other IP phones and found several series that were affected, as well.

CVE-2020-3161 affects the web server and CVE-2016-1421 the web application for Cisco IP Phones. Both may allow an unauthenticated remote attacker to trigger a stack-based buffer overflow by sending a crafted HTTP request, which could ultimately lead to a DoS condition or may allow the attacker to execute code with root privileges.

If you’re wondering why the CVE of the latter vulnerability indicates that it was reported in 2016, it’s because it (partly) was.

“During Tenable’s original analysis, they noted the similarity of this vulnerability to [a previously discovered bug]. However, Cisco’s advisory described the vulnerability as requiring authentication, DoS only, and the Wireless IP Phone 8821 wasn’t listed on the affected list. After disclosing to Cisco, they informed Tenable that the described bug was CVE-2016-1421 and subsequently updated their disclosure,” Tenable explained.

Admins are advised to check whether the IP phones in use in their enterprise and upgrade the firmware if they are. There are no workarounds for the flaws, but exploitation risk can be mitigated by disabling web access. Web access is disabled by default on Cisco IP phones, but some enterprises might have enabled it.

Baines has published Denial of Service PoCs for both flaws on Tenable’s GitHub repository.

Cisco has also provided fixes for nine authentication bypass vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data.

Only one of these is deemed to be critical. Exploiting one or several of these can allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.

Admins are advised to upgrade to UCS Director Release 6.7.4.0 and UCS Director Express for Big Data Release 3.7.4.0 to plug the security holes.

The flaws were discovered by infosec specialist Steven Seeley of Source Incite, who promised to provide more details about the vulnerabilities soon.

The high-risk vulnerabilities

Two DoS flaws have been plugged in Cisco Wireless LAN Controllers, one in Cisco Aironet Series Access Points, and one in the Cisco IoT Field Network Director.

A code execution flaw in Cisco Webex Network Recording Player and Cisco Webex Player requires victim action to be exploited, and so does a CSRF flaw in Cisco Mobility Express Software.

Finally, a path traversal vulnerability in Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to read arbitrary files in the system.

Google fixes another Chrome zero-day exploited in the wild

For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild.

CVE-2020-6418

About CVE-2020-6418

No details have been shared about the attacks and about the flaw itself, apart from the short description that says it’s a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.

The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18.

The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.

They released the exploit – which works only if Chrome’s sandbox is disabled or can be bypassed via another vulnerability – and pointed out that it’s a good thing Google has managed to reduce Chrome’s “patch gap” to two weeks.

“It took us around 3 days to exploit the vulnerability after discovering the fix. Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that 1day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they noted.

This, of course, does not mean much in this particular instance, as CVE-2020-6418 was a zero-day to begin with (i.e., the exploit for it existed and was used before the patch).

Security update

The Chrome release (v80.0.3987.122) fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.

Those users and admins who have disabled the auto-updating feature on Chrome would do well to implement the update as soon as possible.

Sophos’ Paul Ducklin also pointed out that V8 is used in other applications and runtime environments, including the Chromium-based Microsoft Edge browser. (Brave, Opera, and Vivaldi are also Chromium-based web browsers and use V8).

“We’re assuming that if other V8-based applications do turn out to share this bug, they will soon be patched too – but as far as we know now, the in-the-wild exploit only applies to V8 as used in Chrome itself,” he added.

A new RCE in OpenSMTPD’s default install, patch available

Less than a month after the patching of a critical RCE flaw in OpenSMTPD, OpenBSD’s mail server, comes another call to upgrade to the latest version, as two additional security holes have been plugged.

RCE OpenSMTPD

Discovered by Qualys researchers, one is a less severe local information disclosure bug, but the other – once again – could be exploited remotely to execute of arbitrary shell commands on a vulnerable machine.

The vulnerabilities

CVE-2020-8793 is a minor vulnerability that could allow an unprivileged local attacker to read the first line of an arbitrary file or the entire contents of another user’s file.

The researchers have developed a proof of concept and successfully tested it against the latest OpenBSD and Fedora versions (v6.6 and v31, respectively).

CVE-2020-8794 is an out-of-bounds read flaw introduced in December 2015 and can – depending on the vulnerable OpenSMTPD version – lead to the execution of arbitrary shell commands either as root or as any non-root user.

Because it resides in OpenSMTPD’s client-side code, which delivers mail to remote SMTP servers, two different exploitation scenarios are possible.

“Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD’s (and hence OpenBSD’s) default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack — SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation,” the researchers explained.

For server-side exploitation, the attacker must first connect to the OpenSMTPD server (which accepts external mail) and send a mail that creates a bounce.

“Next, when OpenSMTPD connects back to their mail server to deliver this bounce, the attacker can exploit OpenSMTPD’s client-side vulnerability. Last, for their shell commands to be executed, the attacker must (to the best of our knowledge) crash OpenSMTPD and wait until it is restarted (either manually by an administrator, or automatically by a system update or reboot),” they concluded.

Patch ASAP

Both vulnerabilities have been patched in OpenBSD, as well as OpenSMTPD’s latest portable version (6.6.4p1) and users are advised to upgrade as soon as possible.

The similar RCE plugged in January ended up being exploited in attacks in the wild a few days after its existence was publicly revealed.

Qualys researchers have developed proof of concept exploit code for CVE-2020-8794 and tested it against OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31, but have decided not to release it publicly quite yet – to give users time to patch.

Benefits of blockchain pilot programs for risk management planning

Through 2022, 80% of supply chain blockchain initiatives will remain at a proof-of-concept (POC) or pilot stage, according to Gartner.

blockchain pilot programs

One of the main reasons for this development is that early blockchain pilots for supply chain pursued technology-oriented models that have been successful in other sectors, such as banking and insurance. However, successful blockchain use cases for supply chain require a different approach.

“Modern supply chains are very complex and require digital connectivity and agility across participants,” said Andrew Stevens, senior director analyst with the Gartner Supply Chain practice.

“Many organizations believed that blockchain could help navigate this complexity and pushed to create robust use cases for the supply chain. However, most of these use cases were inspired by pilots from the banking and insurance sector and didn’t work well in a supply chain environment.”

This setback should not discourage supply chain leaders from experimenting with blockchain. Blockchain use cases simply require a different approach for supply chain than for other sectors.

From technology-first to technology roadmaps

Adopting a technology-first approach that exclusively targets blockchain infrastructure was the initial idea for use cases in supply chain, mirroring the approach of the banking and insurance sector.

However, this approach did not work, because in contrast to the highly digital-only fintech blockchain use cases, many supply chain use cases will need to capture events and data across physical products, packaging layers and transportation assets.

Additionally, supply chain leaders need to understand how these events can be digitalized for sharing across a potential blockchain-enabled ecosystem of stakeholders.

“Today, supply chain leaders have now started to treat blockchain as part of a longer-term technology roadmap and risk management planning. We see that many leaders are adopting a broader end-to-end view across their supply chains and map all requirements – from sourcing across manufacturing to the final distribution,” Mr. Stevens added.

“Having blockchain as part of an overall technology portfolio has created opportunities for internal collaboration across many areas that have a potential interest in blockchain, such as logistics and IT.”

Blockchain pilot programs

Though most blockchain initiatives didn’t survive past the pilot phase, they have provided fresh stimuli for supply chain leaders to conduct broader supply chain process and technology reviews.

“Many supply chain leaders that have conducted blockchain initiatives found that they now have a more complete overview of the current health of their supply chain. Their perception on how blockchain can be used in the supply chain also has shifted,” Mr. Stevens said.

“By going through the process of deploying blockchain pilot programs, they discovered what needs to change in their organization before blockchain technology can be leveraged effectively.”

Before starting another initiative, supply chain leaders should identify and establish key criteria and technology options for measuring and capturing metrics and data that can indicate an organization’s readiness to explore blockchain.

“In a way, blockchain is a collaboration agent. It forces an organization to continually assess on a broad scale if its structure and employees are ready to embrace this new technology,” Mr. Stevens concluded.

Cisco Data Center Network Manager flaws fixed, Cisco ASA appliances under attack

Cisco has fixed 12 vulnerabilities in Cisco Data Center Network Manager (DCNM), a platform for managing Cisco switches and fabric extenders that run NX-OS, and has warned about a spike in exploitation attempts of an old flaw affecting Cisco Adaptive Security Appliance (ASA) and Firepower Appliance software.

Cisco Data Center Network Manager flaws

Cisco Data Center Network Manager vulnerabilities

Three critical vulnerabilities (CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

“The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco shared.

They are present in APIs and the solution’s web-based management interface, and are caused by static encryption keys and credentials.

The other plugged holes include SQL injection, path traversal, command injection, and read access vulnerabilities, caused by insufficient validation of user-supplied input to some of the solution’s APIs.

There are no workarounds that address any of these, so the company advises administrators to upgrade their Cisco DCNM installations to software releases 11.3(1) and later as soon as possible.

The good news is that they’ve all been discovered and reported by Steven Seeley of Source Incite and are not being actively exploited.

Additionally, Cisco plugged CVE-2019-15999, a security hole in DCNM’s JBoss Enterprise Application Platform (EAP), which exists due to incorrectly configured authentication settings.

Cisco ASA appliances under attack

For those who might have missed it, it’s worth pointing out that Cisco Talos recently warned about a spike in exploitation attempts against CVE-2018-0296, a DoS and information disclosure directory traversal bug in Cisco Adaptive Security Appliance (ASA) and Firepower Appliance software.

“This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code,” threat researcher Nick Biasini noted in late December.

“Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.”

Several PoCs for the vulnerability have been published on GitHub since the vulnerability was first disclosed.

Check out Cisco’s advisory to see which devices are affected, and the blog post for instructions on how to check whether your devices are among those.