US-CERT.gov

Feliratkozás US-CERT.gov hírcsatorna csatornájára
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Frissítve: 1 óra 5 perc

VU#597809: IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI)

sze, 02/12/2020 - 12:19
IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java 1.4.2 are no longer supported. ServeRAID Manager uses a Java remote method invocation(RMI)interface on a TCP port that listens on all interfaces by default. ServeRAID Manager runs with SYSTEM privileges on Microsoft Windows systems. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. The ServeRAID product name is used for hardware and software components variously owned and maintained by IBM,Lenovo,and other vendors. This vulnerability applies to IBM ServeRAID Manager software and no products or components from Lenovo or any other vendor.
Kategóriák: Biztonsági hírek

VU#261385: Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution

sze, 02/05/2020 - 17:31
CVE-2020-3110 Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value(TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111 Cisco Voice over Internet Protocol(VoIP)phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value(TLV). CVE-2020-3118 Cisco's CDP subsystem of devices running,or based on,Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow. CVE-2020-3119 Cisco's CDP subsystem of devices running,or based on,Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet(PoE)type-length-value(TLV). CVE-2020-3120 Cisco's CDP subsystem of devices running,or based on,Cisco NX-OS,IOS XR,and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition.
Kategóriák: Biztonsági hírek

VU#390745: OpenSMTPD vulnerable to local privilege escalation and remote code execution

p, 01/31/2020 - 22:40
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol(SMTP)that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr()function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty,smtp_mailaddr()will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
Kategóriák: Biztonsági hírek

VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability

p, 01/17/2020 - 23:52
Microsoft has released Security Advisory ADV200001,which describes a memory corruption vulnerability in the Scripting Engine. This vulnerability is being exploited in the wild.
Kategóriák: Biztonsági hírek

VU#335217: Multiple caching service providers are vulnerable to HTTP cache poisoning

k, 01/14/2020 - 20:27
CDNs use HTTP caching software to provide high availability and high performance by distributing the service spatially relative to end-users. The HTTP caching software interprets the HTTP request from a website visitor(web client)using the supplied HTTP headers to select and deliver appropriate content. The content can either be delivered from the local cache or collected by reaching the appropriate back end web servers. This vulnerability works by sending arbitrary headers into the HTTP request stream,which may be processed by the back end web server or by the HTTP caching software. If either the web server or the HTTP caching software is vulnerable,it will include the attackers injected content in the response without performing any type of sanitization. Once the attacker's malicious content is returned,it will also be cached by the HTTP caching software. The HTTP caching software will continue to serve the malicious content to all future visitors of the website until the cache expires or is deleted. This allows the attacker to inject arbitrary content once and have multiple future visitors of the CDN hosted website collect the attacker's content and execute unwanted scripts. HTTP header injection using traditional headers,like the Host header and X-Forwarded-Host header,is not a new attack method. New HTTP headers like X-Forwarded-Proto,Referer,Upgrade-Insecure-Requests,and X-DNS-Prefetch-Control have been created to provide more capabilities for HTTP processing. Cloud caching in addition to newly available headers allows for an increase in prolonged,large scale attacks against busy and popular websites. Some examples of the vulnerable headers are: Content-Security-Policy-Report-Only Forwarded Server-Timing Set-Cookie Strict-Transport-Security X-Forwarded-Proto Location Accept-Language Cookie X-Forwarded-For X-Forwarded-Host Referer Max-Forwards There are at least two common reasons why these attacks are possible: 1. Certain HTTP headers(e.g.,X-Forwarded-Host)are sent by the reverse proxy or CDN to the web server and are many times presumed to be generated/modified by the CDN and therefore trusted. 2. Certain HTTP headers(e.g.,User-Agent)are not sanitized by the CDN before being delivered to the web server.
Kategóriák: Biztonsági hírek

VU#491944: Microsoft Windows Remote Desktop Gateway allows for unauthenticated remote code execution

k, 01/14/2020 - 19:03
Microsoft Windows Remote Desktop Gateway(RD Gateway)is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway(TS Gateway)with Windows Server 2008,RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example,guidance has been provided for using RD Gateway with AWS,and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts. Microsoft RD Gateway contains two vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges.
Kategóriák: Biztonsági hírek

VU#849224: Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

k, 01/14/2020 - 18:59
The Microsoft Windows CryptoAPI,which is provided by Crypt32.dll,fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result,an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority. Any software,including third-party non-Microsoft software,that relies on the Windows CertGetCertificateChain()function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.
Kategóriák: Biztonsági hírek

VU#619785: Citrix Application Delivery Controller and Citrix Gateway directory traversal vulnerability

sze, 01/08/2020 - 17:47
Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote,unauthenticated attacker. Although the bulletin does not describe details about the vulnerability,the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt. Although this vulnerability was disclosed by Citrix on December 17,2019,Citrix has not yet provided a software update to address the issue.
Kategóriák: Biztonsági hírek

VU#873161: Telos Automated Message Handling System contains multiple vulnerabilities

cs, 12/19/2019 - 21:39
Telos AMHS is a web-based messaging system that supports DoD and Intelligence Community(IC)security marking requirements. AMHS versions prior to version 4.1.5.5 contain multiple XSS vulnerabilities and also fail to properly restrict access to information about other users on the system.
Kategóriák: Biztonsági hírek

VU#941987: Apple devices vulnerable to boot ROM race condition

cs, 12/19/2019 - 20:03
A vulnerability in the Boot ROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. The Boot ROM,which is located within the processor,contains the first code executed by the processor upon booting the device. Because the Boot ROM is read-only,it cannot be patched with a firmware update. Apple devices that implement processing chips A5 through A11 are vulnerable. This corresponds to iPhone models 4S through X; additionally,certain models of iPad,Apple Watch,iPod Touch,and Apple TV are vulnerable. See the Malwarebytes blog entry for a full list of affected devices. Further details about the vulnerability are available in Ars Technica's interview with the vulnerability's discoverer.
Kategóriák: Biztonsági hírek

VU#605641: HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

k, 11/19/2019 - 22:13
The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.
Kategóriák: Biztonsági hírek

VU#125336: Microsoft Office for Mac cannot properly disable XLM macros

p, 11/01/2019 - 16:22
XLM macros Up to and including Microsoft Excel 4.0,a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems,however current Microsoft Office versions still support XLM macros. SYLK and XLM macros XLM macros can be incorporated into SYLK files,as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet. SYLK and XLM macros with Microsoft Office for Mac It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post,Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files. The Problem If Office for the Mac has been configured to use the"Disable all macros without notification"feature,XLM macros in SYLK files are executed without prompting the user. We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems.
Kategóriák: Biztonsági hírek