US-CERT.gov

Feliratkozás US-CERT.gov hírcsatorna csatornájára
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Frissítve: 42 perc 24 másodperc

VU#127371: iOS contains an unspecified kernel vulnerability

k, 05/26/2020 - 17:26
iOS contains an unspecified kernel vulnerability. This vulnerability can allow code execution with kernel privileges. This vulnerability is being used by the public unc0ver 5.0 jailbreak utility,which claims to support all devices from iOS 11 through 13.5,excluding versions 12.3-12.3.2 and 12.4.2-12.4.5. It is also reported that this jailbreak works on modern iOS devices that use a CPU that supports Pointer Authentication Code(PAC),which indicates that PAC does not prevent exploitation of this vulnerability.
Kategóriák: Biztonsági hírek

VU#647177: Bluetooth devices supporting BR/EDR are vulnerable to impersonation attacks

h, 05/18/2020 - 20:16
Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate(BR/EDR)Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated,adjacent attacker to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices without knowing the link key. The Bluetooth Impersonation Attack(BIAS)can be performed in two different ways,depending on which Secure Simple Pairing method(either Legacy Secure Connections or Secure Connections)was previously used to establish a connection between two devices. If the pairing procedure was completed using the Secure Connections method,the attacker could claim to be the previously paired remote device that no longer supports secure connections,thereby downgrading the authentication security. This would allow the attacker to proceed with the BIAS method against the legacy authentication unless the device they are attacking is in Secure Connections only mode. If the attacker can either downgrade authentication or is attacking a device that does not support Secure Connections,they can perform the attack using a similar method by initiating a master-slave role switch to place itself into the master role and become the authentication initiator. If successful,they complete the authentication with the remote device. If the remote device does not then mutually authenticate with the attacker in the master role,it will result in the authentication-complete notification on both devices,even though the attacker does not possess the link key. The BIAS method is able to be performed for the following reasons: Bluetooth secure connection establishment is not encrypted and the selection of secure connections pairing method is not enforced for an already established pairing,Legacy Secure Connections secure connection establishment does not require mutual authentication,a Bluetooth device can perform a role switch any time after baseband paging,and devices who paired using Secure Connections can use Legacy Secure Connections during secure connection establishment.
Kategóriák: Biztonsági hírek

VU#534195: Bluetooth devices supporting LE and specific BR/EDR implementations are vulnerable to method confusion attacks

h, 05/18/2020 - 20:12
Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Low Energy(BLE)Core Configuration. Like Bluetooth Classic(BR/ER),BLE is used for low-power short-range communications,but has significantly lower power consumption,making it ideal for Internet of Things(IoT)and other resource restricted devices. For two devices to communicate over BLE,they need to establish a connection by pairing via the(Low Energy)Secure Connections(SC or LESC)or Secure Simple Pairing(SSP)methods. The pairing process includes feature information exchange between devices on what they support,public key exchange,and authentication of the public keys using an Association Model. Two of the possible Association Models,Numeric Comparison(NC)and Passkey Entry(PE),are impacted by this attack. An adjacent,unauthenticated attacker can intercept the credentials shared during the pairing process and force each victim device into a different Association Model. To do this,the attacker must negotiate an NC procedure with one device and a PE procedure with the other,and the user must erroneously enter the NC value as the public key value and accept pairing on the NC device. This scenario applies to both BLE Secure Connections pairing and BR/EDR Secure Simple Pairing. However,only a device operating as a keyboard for the purposes of pairing may be used to enter the passkey in the BR/EDR Secure Simple Pairing scenario. The attacker would be able to initiate any Bluetooth operation on either attacked device that is exposed by the enabled Bluetooth profiles. For this attack to be successful,an attacking device must be within wireless range of two vulnerable Bluetooth devices that are establishing either an LE or a BR/EDR encrypted connection without existing shared credentials(long term key or link key). At least one device must permit entry of a passkey,and the other must support a display capable of representing six decimal digits. This attack is possible because the Association Models NC and PE use the same form of check value,the model used is not indicated to the user(making it extremely difficult to notice the change),and the devices are not authenticating which Association Model is used by the peer device.
Kategóriák: Biztonsági hírek

VU#366027: Samsung Qmage codec for Android Skia library does not properly validate image files

cs, 05/14/2020 - 22:48
The Samsung May 2020 Android Security Update notes that"a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution."Samsung identifies this vulnerability as SVE-2020-16747,more commonly known as CVE-2020-8899. Google Project Zero performed extensive fuzz testing on the Qmage(or Quram,or qmg)code Samsung added to the Android Skia library and identified more than 1500 unique crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system. Samsung notes that versions O(8.X),P(9.0),Q(10.0)are affected.
Kategóriák: Biztonsági hírek

VU#660597: Periscope BuySpeed is vulnerable to stored cross-site scripting

h, 04/06/2020 - 15:48
Periscope BuySpeed is a"tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization,leading to it executing in the browser of the user. This could potentially allow for website redirection,session hijacking,or information disclosure.
Kategóriák: Biztonsági hírek

VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

h, 03/30/2020 - 19:39
The Versiant LYNX Customer Service Portal(CSP)is a"full-service customer portal that provides real-time information to terminal operators on the status of shipments into and out of a marine container terminal". The LYNX CSP,version 3.5.2,is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user.
Kategóriák: Biztonsági hírek

VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities

h, 03/30/2020 - 19:38
The Vertiv Avocent UMG-4000 contains multiple vulnerabilities that could allow an authenticated attacker with administrative privileges to remotely execute arbitrary code. The web interface does not sanitize input provided from the remote client,making it vulnerable to command injection,stored cross-site scripting,and reflected cross-site scripting. CVE-2019-9507 - CWE-95 The web interface of the Avocent UMG-4000 version 4.2.1.19 is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands within the web application are executed as root,this could allow a remote attacker authenticated with an administrator account to execute arbitrary commands. The CVSS 2.0 score below is based on CVE-2019-9507. CVE-2019-9508 - CWE-79 The web interface of the Avocent UMG-4000 version 4.2.1.19 is vulnerable to stored XSS. A remote attacker authenticated with an administrator account could store a maliciously named file within the web application that would execute each time a user browsed to the page. CVE-2019-9509 - CWE-79 The web interface of the Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page,which could allow a remote attacker authenticated with a user account to execute arbitrary code.
Kategóriák: Biztonsági hírek

VU#354840: Microsoft Windows Type 1 font parsing remote code execution vulnerabilities

h, 03/23/2020 - 21:42
Adobe Type Manager,which is provided by atmfd.dll,is a kernel module that is provided by Windows and provides support for OpenType fonts. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows,as well as Windows 7. This vulnerability is being exploited in the wild.
Kategóriák: Biztonsági hírek

VU#425163: Machine learning classifiers trained via gradient descent are vulnerable to arbitrary misclassification attack

cs, 03/19/2020 - 14:43
This vulnerability results from using gradient descent to determine classification of inputs via a neural network. As such,it is a vulnerability in the algorithm. In plain terms,this means that the currently-standard usage of this type of machine learning algorithm can always be fooled or manipulated if the adversary can interact with it. What kind or amount of interaction an adversary needs is not always clear,and some attacks can be successful with only minor or indirect interaction. However,in general more access or more interaction options reduce the effort required to fool the machine learning algorithm. If the adversary has information about some part of the machine learning process(training data,training results,model,or operational/testing data),then with sufficient effort the adversary can craft an input that will fool the machine learning tool to yield a result of the adversary's choosing. In instantiations of this vulnerability that we are currently aware of,"sufficient effort"ranges widely,between seconds and weeks of commodity compute time. Within the taxonomy by Kumar et al.,such misclassifications are either perturbation attacks or adversarial examples in the physical domain. There are other kinds of failures or attacks related to ML systems,and other ML systems besides those trained via gradient descent. However,this note is restricted to this specific algorithm vulnerability. Formally,the vulnerability is defined for the following case of classification. Let x be a feature vector and y be a class label. Let L be a loss function,such as cross entropy loss. We wish to learn a parameterization vectorθfor a given class of functions f such that the expected loss is minimized. Specifically,let In the case where f(θ,x)is a neural network,finding the global minimizerθ*is often computationally intractable. Instead,various methods are used to findθ^,which is a"good enough"approximation. We refer to f(θ^,.)as the fitted neural network. If stochastic gradient descent is used to findθ^for the broadly defined set of f(θ,x)representing neural networks,then the fitted neural network f(θ^,.)is vulnerable to adversarial manipulation. Specifically,it is possible to take f(θ^,.)and find an x' such that the difference between x and x' is smaller than some arbitrary and yet f(θ^,x)has the label y and f(θ^,x')has an arbitrarily different label y'. (Mathematicians,please excuse our abuse of^as\hat and*as_\star.) The uncertainty of the impact of this vulnerability is compounded because practitioners and vendors do not tend to disclose what machine learning algorithms they use. However,training neural networks by gradient descent is a common technique. See also the examples in the impact section.
Kategóriák: Biztonsági hírek

VU#872016: Microsoft SMBv3 compression remote code execution vulnerability

sze, 03/11/2020 - 01:43
Microsoft Server Message Block 3.1.1(SMBv3)contains a vulnerability in the way that it handles connections that use compression. This vulnerability may allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is"wormable."
Kategóriák: Biztonsági hírek

VU#390745: OpenSMTPD vulnerable to local privilege escalation and remote code execution

h, 03/09/2020 - 15:40
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol(SMTP)that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr()function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty,smtp_mailaddr()will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
Kategóriák: Biztonsági hírek

VU#782301: pppd vulnerable to buffer overflow due to a flaw in EAP packet processing

sze, 03/04/2020 - 19:28
PPP is the protocol used for establishing internet links over dial-up modems,DSL connections,and many other types of point-to-point links including Virtual Private Networks(VPN)such as Point to Point Tunneling Protocol(PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP. Due to a flaw in the Extensible Authentication Protocol(EAP)packet processing in the Point-to-Point Protocol Daemon(pppd),an unauthenticated remote attacker may be able to cause a stack buffer overflow,which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect,arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code. The vulnerability is in the logic of the eap parsing code,specifically in the eap_request()and eap_response()functions in eap.c that are called by a network input handler. These functions take a pointer and length as input using the the first byte as a type. If the type is EAPT_MD5CHAP(4),it looks at an embedded 1-byte length field. The logic in this code is intended to makes sure that embedded length is smaller than the whole packet length. After this verification,it tries to copy provided data(hostname)that is located after the embedded length field into a local stack buffer. This bounds check is incorrect and allows for memory copy to happen with an arbitrary length of data. An additional logic flaw causes the eap_input()function to not check if EAP has been negotiated during the Line Control Protocol(LCP)phase. This allows an unauthenticated attacker to send an EAP packet even if ppp refused the authentication negotiation due to lack of support for EAP or due to mismatch of an agreed pre-shared passphrase in the LCP phase. The vulnerable pppd code in eap_input will still process the EAP packet and trigger the stack buffer overflow. This unverified data with an unknown size can be used to corrupt memory of the target system. The pppd often runs with high privileges(system or root)and works in conjunction with kernel drivers. This makes it possible for an attacker to potentially execute arbitrary code with system or root level privileges. The pppd software is also adopted into lwIP(lightweight IP)project to provide pppd capabilities for small devices. The default installer and packages of lwIP are not vulnerable to this buffer overflow. However if you have used the lwIP source code and configured specifically to enable EAP at compile time,your software is likely vulnerable to the buffer overflow. The recommended update is available from Git repoistory http://git.savannah.nongnu.org/cgit/lwip.git(Specifically patch referenced: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64 e7cac2a1c1706e49ffd86) This type of weakness is commonly associated in Common Wekaness Enumeration(CWE)with CWE-120 Buffer Copy without Checking Size of Input('Classic Buffer Overflow')
Kategóriák: Biztonsági hírek

VU#498544: ZyXEL NAS pre-authentication command injection in weblogin.cgi

h, 02/24/2020 - 18:31
CWE-78:Improper Neutralization of Special Elements used in an OS Command('OS Command Injection') ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters,it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user,ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such,it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. Exploit code for this vulnerability is available on the internet. For this reason,we have created a PoC exploit that has the ability to power down affected ZyXEL devices.
Kategóriák: Biztonsági hírek

VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability

cs, 02/20/2020 - 00:56
Microsoft Internet Explorer contains a scripting engine,which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability. This vulnerability was detected in exploits in the wild.
Kategóriák: Biztonsági hírek