US-CERT.gov

Feliratkozás US-CERT.gov hírcsatorna csatornájára
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Frissítve: 24 perc 7 másodperc

VU#576688: Microsoft windows RDP Network Level Authenticaion can bypass the Windows lock screen

k, 06/04/2019 - 15:50
Microsoft Windows Remote Desktop supports a feature called Network Level Authentication(NLA),which moves the authentication aspect of a remote session from the RDP layer to the network-layer. The use of NLA is recommended to reduce the attack surface of systems exposed using the RDP protocol. In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication Bypass Using an Alternate Path or Channel(CVE-2019-9510) Starting with Windows 10 1803 and Windows Server 2019,Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect,upon automatic reconnection the RDP session will be restored to an unlocked state,regardless of how the remote system was left. For example,consider the following steps: User connects to remote Windows 10 1803 or Server 2019 system using RDP. User locks remote desktop session. User leaves the physical vicinity of the system being used as an RDP client At this point,an attacker can interrupt the network connectivity of the RDP client system,which will result in the session with the remote system being unlocked without requiring any credentials. Two-factor authentication systems that integrate with the Windows login screen,such as Duo Security MFA,are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.
Kategóriák: Biztonsági hírek

VU#877837: Multiple vulnerabilities in Quest (Dell) Kace K1000 Appliance

szo, 06/01/2019 - 12:19
CVE-2018-5404:The Dell Kace K1000 Appliance allows an authenticated,remote attacker with least privileges('User Console Only' role)to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89) CVE-2018-5405:The Dell Kace K1000 Appliance allows an authenticated least privileged user with‘User Console Only’rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) CVE-2018-5406:The Dell Kace K1000 Appliance allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing(CORS)mechanism. An unauthenticated,remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. (CWE-284)
Kategóriák: Biztonsági hírek

VU#119704: Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability

sze, 05/22/2019 - 21:01
Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\jobs directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019.
Kategóriák: Biztonsági hírek

VU#400865: Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

k, 05/14/2019 - 22:17
CVE-2019-1649:Secure Boot Tampering,also known as Thrangrycat The logic that handles the access controls to TAm within Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array(FPGA). The TAm is a proprietary hardware chip used for many security services within Cisco products,including nonvolatile secure storage,cryptography services,and as a Secure Unit Device Identifier. The TAm can be bypassed by modifying the bitstream of the FPGA,allowing an authenticated,local attacker to make persistent modification to the TAm. CVE-2019-1862:IOS XE Web UI Command Injection The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated,remote attacker to execute commands as root on the underlying Linux shell.
Kategóriák: Biztonsági hírek

VU#169249: PrinterLogic Print Management Software fails to validate SSL certificates or the integrity of software updates.

p, 05/03/2019 - 18:15
PrinterLogic versions up to and including 18.3.1.96 are vulnerable to multiple attacks. The PrinterLogic agent,running as SYSTEM,does not validate the PrinterLogic Management Portal's SSL certificate,validate PrinterLogic update packages,or sanitize web browser input. CVE-2018-5408:The PrinterLogic Print Management software does not validate,or incorrectly validates,the PrinterLogic management portal's SSL certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. (C WE-295) CVE-2018-5409:PrinterLogic Print Management software updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server,performing DNS spoofing,or modifying the code in transit. (CWE-494) CVE-2019-9505:PrinterLogic Print Management software does not sanitize special characters allowing for unauthorized changes to configuration files. (CWE-159)
Kategóriák: Biztonsági hírek

VU#730261: Marvell Avastar wireless SoCs have multiple vulnerabilities

p, 04/19/2019 - 19:53
A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs(models 88W8787,88W8797,88W8801,88W8897,and 88W8997). The presentation provides some detail about a block pool memory overflow. During Wi-Fi network scans,an overflow condition can be triggered,overwriting certain block pool data structures. Because many devices conduct automatic background network scans,this vulnerability could be exploited regardless of whether the target is connected to a Wi-Fi network and without user interaction.
Kategóriák: Biztonsági hírek

VU#166939: Broadcom WiFi chipset drivers contain multiple vulnerabilities

sze, 04/17/2019 - 15:52
Vulnerabilities in the open source brcmfmac driver: CVE-2019-9503:If the brcmfmac driver receives a firmware event frame from a remote source,the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host,the appropriate handler is called. This frame validation can be bypassed if the bus used is USB(for instance by a wifi dongle.). This can allow firmware event frames from a remote source to be processed. CVE-2019-9500:If the Wake-up on Wireless LAN functionality is configured,a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host,or when used in combination with the above frame validation bypass,can be used remotely. NOTE:The brcmfmac driver only works with Broadcom FullMAC chipsets. Vulnerabilities in the Broadcom wl driver: Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point(AP). CVE-2019-9501:By supplying a vendor information element with a data length larger than 32 bytes,a heap buffer overflow is triggered in wlc_wpa_sup_eapol. CVE-2019-9502:If the vendor information element data length is larger than 164 bytes,a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. NOTE:When the wl driver is used with SoftMAC chipsets,these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used,these vulnerabilities would be triggered in the chipset's firmware.
Kategóriák: Biztonsági hírek

VU#871675: Multiple vulnerabilities identified in WPA3 protocol design and implementations of hostapd and wpa_supplicant components

p, 04/12/2019 - 19:47
CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous"implementation"vulnerabilities may involve modifying the protocol. WPA3 uses Simultaneous Authentication of Equals(SAE),also known as Dragonfly Key Exchange,as the initial key exchange protocol,replacing WPA2's Pre-Shared Key(PSK)protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components,as implemented with Extensible Authentication Protocol Password(EAP-PWD)and SAE,are vulnerable as follows: CVE-2019-9494:SAE cache attack against ECC groups(SAE side-channel attacks)- CWE-208 and CWE-524 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. CVE-2019-9495:EAP-PWD cache attack against ECC groups(EAP-PWD side-channel attack)- CWE-524 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. CVE-2019-9496:SAE confirm missing state validation - CWE-642 An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. CVE-2019-9497:EAP-PWD reflection attack(EAP-PWD missing commit validation)- CWE-301 The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9498:EAP-PWD server missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in hostapd EAP Server,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9499:EAP-PWD peer missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in wpa_supplicant EAP Peer,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit.
Kategóriák: Biztonsági hírek

VU#192371: Multiple VPN applications insecurely store session cookies

cs, 04/11/2019 - 15:55
Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - Palo Alto Networks GlobalProtect prior to 4.1.0(CVE-2019-15373)- Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2 The following products and versions store the cookie insecurely in memory: - Palo Alto Networks GlobalProtect prior to 4.1.1 - Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2(CVE-2019-1573)- Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable,please contact CERT/CC at cert@cert.org with the affected products,version numbers,patch information,and self-assigned CVE.
Kategóriák: Biztonsági hírek

VU#174715: MyCar Controls uses hard-coded credentials

h, 04/08/2019 - 23:16
MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation,remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials(CWE-798)which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
Kategóriák: Biztonsági hírek