Category Archives: Security Alert

Joomla! JMS Music Component SQL Injection Vulnerability [CVE-2018-6581]

CVE Number – CVE-2018-6581

A vulnerability in the JMS Music component of Joomla! could allow an unauthenticated, remote attacker to conduct an SQL injection attack on a targeted system.

The vulnerability is due to insufficient protections imposed by the affected software on certain search parameters. An attacker could exploit this vulnerability by sending a GET request with either the keyword, username, or artist parameter to a targeted system. A successful exploit could allow the attacker to conduct an SQL injection attack on the system.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

Administrators are advised to contact the vendor regarding future updates and releases.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access affected systems.

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

Administrators can apply Snort SID 46041 to help prevent attacks that attempt to exploit this vulnerability.

Administrators are advised to monitor affected systems.




nghttp2 ALTSVC Frame NULL Pointer Dereference Denial of Service Vulnerability [CVE-2018-1000168]

CVE Number – CVE-2018-1000168

A vulnerability in nghttp2 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to improper bounds checking by the affected software. If an alternative services (ALTSVC) frame is too large, the pointer field that points to the ALTSVC frame payload is left NULL. An attacker could exploit this vulnerability by sending a large ALTSVC frame to the targeted system. A successful exploit could trigger a NULL pointer dereference condition and cause the affected software to stop responding, resulting in a DoS condition on the affected system.

nghttp2.org has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker must send a large ALTSVC frame to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

    This vulnerability affects client and server systems running an affected version of nghttp2 if the reception of ALTSVC frames is enabled. By default, receiving an ALTSVC frame is disabled.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • nghttp2.org has released a security advisory at the following link: CVE-2018-1000168
Fixed Software





GEGL Process Function Unbounded Memory Allocation Denial of Service Vulnerability [CVE-2018-10113]

CVE Number – CVE-2018-10113

A vulnerability in the process function of the Generic Graphics Library (GEGL) could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to improper memory operations that are performed by the affected software when the process function, as defined in the operations/external/ppm-load.c source code file of the affected software, is used. An attacker could exploit this vulnerability by submitting malicious input to the targeted system designed to trigger a memory allocation failure. A successful exploit could cause the affected software to crash, resulting in a DoS condition on the affected system.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

The GNOME Project has not publicly confirmed this vulnerability and software updates are not available.

Analysis
  • To exploit this vulnerability, an attacker must have local access to the targeted system. This access requirement may reduce the likelihood of a successful exploit.
Safeguards
  • Administrators are advised to contact the vendor regarding future updates and releases.

    Administrators are advised to allow only trusted users to access local systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • Vendor announcements are not available.
Fixed Software
  • Software updates are not available.





GEGL gegl_buffer_iterate_read_simple Function Remote Denial of Service Vulnerability [CVE-2018-10114]

CVE Number – CVE-2018-10114

A vulnerability in the Portable PixMap (PPM) File Handler component of the Generic Graphics Library (GEGL) could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted system.

The vulnerability is due to improper restrictions of memory allocation in the ppm_load_read_header function as defined in the operations/external/ppm-load.c source code file of the affected software. An attacker could exploit the vulnerability by persuading a user to access a PPM file that submits malicious input to the affected software. A successful exploit could trigger an out-of-bounds write condition in the gegl_buffer_iterate_read_simple function in the buffer/gegl-buffer-access.c source code file, which could cause the affected software to crash, resulting in a DoS condition on the affected system.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

The GNOME Project has confirmed the vulnerability and released a software patch.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • The GNOME Project has released a bug report at the following link: Bug 795248
Fixed Software





Exempi VPXChunk Class Denial of Service Vulnerability [CVE-2017-18235]

CVE Number – CVE-2017-18235

A vulnerability in Exempi could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists in the VPXChunk class defined in the source code file XMPFiles/source/FormatSupport/WEBP_Support.cpp, and is due to insufficient sanitization of “0” values passed to height() or width() by the affected software when handling .webq files. An attacker could exploit the vulnerability by persuading a user to access a .webq file that submits malicious input to the affected software. A successful exploit could cause the affected software to crash due to a memory assertion error, which could result in a DoS condition.

Exempi has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
Fixed Software
  • Exempi has released software updates at the following link: Download Exempi





HPE Intelligent Management Center PLAT Arbitrary Code Execution Vulnerability [CVE-2017-12556]

CVE Number – CVE-2017-12556

A vulnerability in HPE Intelligent Management Center (IMC) PLAT could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists in the MibBrowserTopoFilterServlet of the affected software and is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting crafted input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges, which could result in a complete system compromise.

HPE has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker must send malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can apply Snort SID 45677 to help prevent attacks that attempt to exploit this vulnerability.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • HPE has released a security bulletin at the following link: HPESBHF03778
Fixed Software
  • HPE has released IMC PLAT 7.3 (E0506P03) to address this vulnerability, as described in the “Resolution” section of the HPE security bulletin. Customers may contact HPE Technical Support for any assistance in obtaining the software updates.





Zabbix iConfig Proxy Request Information Disclosure Vulnerability [CVE-2017-2826]

CVE Number – CVE-2017-2826

  • A vulnerability in the iConfig proxy request feature of Zabbix server could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.

    The vulnerability is due to improper handling of iConfig proxy requests by the affected software. An attacker who has knowledge of the IP address of a configured Zabbix proxy could exploit this vulnerability by sending customized iConfig proxy request packets to a targeted Zabbix server. A successful exploit could allow the attacker to access sensitive information from any configured Zabbix proxy.

    Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

    Zabbix has not publicly confirmed this vulnerability and software updates are not available.

Analysis
  • To exploit this vulnerability, an attacker must know the IP address of a Zabbix proxy that is configured to be used with a Zabbix server in order to send crafted iConfig proxy request packets to the server. This requirement could make a successful exploit difficult to achieve.

    Cisco Talos has released a report describing this vulnerability at the following link: TALOS-2017-0327

Safeguards
  • Administrators are advised to contact the vendor regarding future updates and releases.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to allow only privileged users to access administration or management systems.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • Vendor announcements are unavailable.

Fixed Software
  • Software updates are unavailable.





Maktub Ransomware

Maktub, also known as MaktubLocker and Iron, is a newly observed ransomware tool being sold using a malware-as-a-service model.

It is delivered via smaller-scale spam campaigns containing a malicious attachment. This attachment contains a rich text format document resembling a Terms of Service (ToS) agreement. Unlike most malicious attachments, this document appears to be a legitimate ToS agreement, and is believed to be included as a way to occupy the user while the malware is installing.

Once installed, Maktub checks the keyboard locale list, only proceeding if it does not detect Russian values on the list. Encryption uses the Windows Crypto API and targets all local, network and external drives. Files are also compressed before encryption, possibly to increase the speed of the process.

Maktub Locker has clearly been developed by professionals. The full product’s complexity suggests that it is the work of a team of people with different areas of expertise.

Further technical details here

Affected Platforms

Microsoft Windows – All versions

website1

Image via – bleepingcomputer.com





Cisco IOS XE Software Static Credential Vulnerability [CVE-2018-0150]

  • A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot.

    The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access.

    Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xescThis advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Affected Products
  • Vulnerable Products

    This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x.

    For more information about which Cisco IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.

    Determining the Cisco IOS XE Software Release

    To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.




    The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

    ios-xe-device# show version
    
    Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2016 by Cisco Systems, Inc.
    Compiled Sun 27-Mar-16 21:47 by mcpre
    .
    .
    .

    For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.

Workarounds
  • To address this vulnerability, administrators may remove the default account by using the no username cisco command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account.

Fixed Software
  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

    Additional information can be found here




RubyGems Improper Input Validation Vulnerability [CVE-2018-1000077]

CVE Number – CVE-2018-1000077

A vulnerability in RubyGems could allow an unauthenticated, remote attacker to modify the homepage URL on a targeted system.

The vulnerability is due to improper URL validation of the specification homepage attribute by the affected software. An attacker could exploit this vulnerability by persuading a user to install a malicious RubyGems gem on a targeted system. A successful exploit could allow the attacker to set an invalid homepage URL on the targeted system.

The vendor has confirmed the vulnerability in a security advisory and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to open or execute a malicious file.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software
  • The vendor has released software updates at the following link: RubyGems 2.7.6