Wednesday, August 31, 2016
Cisco Hosted Collaboration Mediation Fulfillment Authenticated Directory Traversal Vulnerability
The vulnerability is due to a lack of proper input verification and sanitization of the user input directory path. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. An exploit could allow the attacker to read arbitrary files on the system that should be restricted.
Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bS2saV A vulnerability in the web interface of Cisco Hosted Collaboration Mediation Fulfillment could allow an authenticated, remote attacker to access arbitrary files on the system. This vulnerability allows the attacker to perform directory traversal.
The vulnerability is due to a lack of proper input verification and sanitization of the user input directory path. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. An exploit could allow the attacker to read arbitrary files on the system that should be restricted.
Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bS2saV
Security Impact Rating: Medium
CVE: CVE-2016-6370
from Cisco Security Advisory http://ift.tt/2bS2saV
Cisco Wireless LAN Controller wIPS Denial of Service Vulnerability
The vulnerability is due to lack of proper input validation of wIPS protocol packets. An attacker could exploit this vulnerability by sending a malformed wIPS packet to the affected device. An exploit could allow the attacker to cause a DoS condition when the wIPS process on the WLC unexpectedly restarts.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bS26kA A vulnerability in the Cisco Adaptive Wireless Intrusion Prevention System (wIPS) implementation in the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition because the wIPS process on the WLC unexpectedly restarts.
The vulnerability is due to lack of proper input validation of wIPS protocol packets. An attacker could exploit this vulnerability by sending a malformed wIPS packet to the affected device. An exploit could allow the attacker to cause a DoS condition when the wIPS process on the WLC unexpectedly restarts.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bS26kA
Security Impact Rating: Medium
CVE: CVE-2016-6376
from Cisco Security Advisory http://ift.tt/2bS26kA
Cisco Wireless LAN Controller TSM SNMP Denial of Service Vulnerability
The occurs when an SNMP request for TSM information is received. An attacker could exploit this vulnerability by sending crafted IAPP packets followed by an SNMP request for TSM information to the targeted device. An exploit could allow the attacker to cause a DoS condition when the WLC unexpectedly restarts.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bS1vzH A vulnerability in the traffic stream metrics (TSM) implemented with the Inter-Access Point Protocol (IAPP) of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition because the process on the WLC unexpectedly restarts. The DoS condition could occur when a subsequent Simple Network Management Protocol (SNMP) request is received for TSM information.
The occurs when an SNMP request for TSM information is received. An attacker could exploit this vulnerability by sending crafted IAPP packets followed by an SNMP request for TSM information to the targeted device. An exploit could allow the attacker to cause a DoS condition when the WLC unexpectedly restarts.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bS1vzH
Security Impact Rating: Medium
CVE: CVE-2016-6375
from Cisco Security Advisory http://ift.tt/2bS1vzH
Cisco WebEx Meetings Player Denial of Service Vulnerability
The vulnerability is due to improper validation of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious file by using the affected software. A successful exploit could allow the attacker to cause WebEx Meetings Player to crash.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bS2boG A vulnerability in Cisco WebEx Meetings Player could allow an unauthenticated, remote attacker to cause WebEx Meetings Player to crash.
The vulnerability is due to improper validation of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious file by using the affected software. A successful exploit could allow the attacker to cause WebEx Meetings Player to crash.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bS2boG
Security Impact Rating: Medium
CVE: CVE-2016-1415
from Cisco Security Advisory http://ift.tt/2bS2boG
Cisco Virtual Media Packager PAM API Unauthorized Access Vulnerability
The vulnerability is due to lack of proper authentication controls. An attacker could exploit this vulnerability by accessing the PAM API. An exploit could allow the attacker to access the PAM API without authentication.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bS1VWH A vulnerability in the application programming interface (API) for the Platform and Applications Manager (PAM) for the Cisco Virtual Media Packager (VMP) could allow an unauthenticated, remote attacker to access the PAM API. The PAM API is only accessible using the SSL or TLS protocol.
The vulnerability is due to lack of proper authentication controls. An attacker could exploit this vulnerability by accessing the PAM API. An exploit could allow the attacker to access the PAM API without authentication.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bS1VWH
Security Impact Rating: Medium
CVE: CVE-2016-6377
from Cisco Security Advisory http://ift.tt/2bS1VWH
Cisco Small Business 220 Series Smart Plus Switches SNMP Unauthorized Access Vulnerability
The vulnerability is due to the presence of a default SNMP community string that is added during device installation and cannot be deleted. An attacker could exploit this vulnerability by using the default SNMP community string to access SNMP objects on an affected device. A successful exploit could allow the attacker to view and modify SNMP objects on a targeted device.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bH1utt A vulnerability in the implementation of Simple Network Management Protocol (SNMP) functionality in Cisco Small Business 220 Series Smart Plus (Sx220) Switches could allow an unauthenticated, remote attacker to gain unauthorized access to SNMP objects on an affected device.
The vulnerability is due to the presence of a default SNMP community string that is added during device installation and cannot be deleted. An attacker could exploit this vulnerability by using the default SNMP community string to access SNMP objects on an affected device. A successful exploit could allow the attacker to view and modify SNMP objects on a targeted device.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bH1utt
Security Impact Rating: Critical
CVE: CVE-2016-1473
from Cisco Security Advisory http://ift.tt/2bH1utt
Cisco Small Business 220 Series Smart Plus Switches Web Interface Denial of Service Vulnerability
The vulnerability is due to insufficient validation of HTTP requests by the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device via the interface. A successful exploit could allow the attacker to cause the interface to stop responding, resulting in a partial DoS condition that persists until the interface is restarted manually.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bRakVF A vulnerability in the web-based management interface of Cisco Small Business 220 Series Smart Plus (Sx220) Switches could allow an unauthenticated, remote attacker to cause the web-based management interface of an affected device to stop responding, resulting in a partial denial of service (DoS) condition on the device.
The vulnerability is due to insufficient validation of HTTP requests by the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device via the interface. A successful exploit could allow the attacker to cause the interface to stop responding, resulting in a partial DoS condition that persists until the interface is restarted manually.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bRakVF
Security Impact Rating: Medium
CVE: CVE-2016-1472
from Cisco Security Advisory http://ift.tt/2bRakVF
Cisco Small Business 220 Series Smart Plus Switches Web Interface Cross-Site Scripting Vulnerability
The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bR9iJi A vulnerability in the web-based management interface of Cisco Small Business 220 Series Smart Plus (Sx220) Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.
The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bR9iJi
Security Impact Rating: Medium
CVE: CVE-2016-1471
from Cisco Security Advisory http://ift.tt/2bR9iJi
Cisco Small Business 220 Series Smart Plus Switches Web Interface Cross-Site Request Forgery Vulnerability
The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bR9GYA A vulnerability in the web-based management interface of Cisco Small Business 220 Series Smart Plus (Sx220) Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.
The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user.
Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://ift.tt/2bR9GYA
Security Impact Rating: Medium
CVE: CVE-2016-1470
from Cisco Security Advisory http://ift.tt/2bR9GYA
Cisco Small Business SPA3x/5x Series Denial of Service Vulnerability
The vulnerability is due to incorrect handling of malformed HTTP traffic. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. An exploit could allow the attacker to deny service continually by sending crafted HTTP requests to a phone, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bRaxIK A vulnerability in the HTTP framework of Cisco Small Business SPA300 Series IP Phones, Cisco Small Business SPA500 Series IP Phones, and Cisco SPA51x IP Phones could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to incorrect handling of malformed HTTP traffic. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. An exploit could allow the attacker to deny service continually by sending crafted HTTP requests to a phone, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bRaxIK
Security Impact Rating: High
CVE: CVE-2016-1469
from Cisco Security Advisory http://ift.tt/2bRaxIK
Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability
The vulnerability is due to improper handling of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bR9WXu A vulnerability in Cisco WebEx Meetings Player could allow an unauthenticated, remote attacker to execute arbitrary code.
The vulnerability is due to improper handling of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://ift.tt/2bR9WXu
Security Impact Rating: Critical
CVE: CVE-2016-1464
from Cisco Security Advisory http://ift.tt/2bR9WXu
Cisco Hosted Collaboration Mediation Fulfillment Directory Traversal File System Vulnerability
The vulnerability is due to lack of proper input validation of the HTTP URL format. An attacker could exploit this vulnerability by sending a crafted HTTP to the affected application. An exploit could allow the attacker to write out an arbitrary file. The format of the data written to these file is restricted.
Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bRa5do A vulnerability in the web interface of Cisco Hosted Collaboration Mediation Fulfillment application could allow an unauthenticated, remote attacker to write arbitrary files to any file system location that the application server has permissions to access.
The vulnerability is due to lack of proper input validation of the HTTP URL format. An attacker could exploit this vulnerability by sending a crafted HTTP to the affected application. An exploit could allow the attacker to write out an arbitrary file. The format of the data written to these file is restricted.
Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link: http://ift.tt/2bRa5do
Security Impact Rating: Medium
CVE: CVE-2016-6371
from Cisco Security Advisory http://ift.tt/2bRa5do
IBM Security Bulletin: IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware GUI User May Gain Administrator Authority
A vulnerability exists in the IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware GUI (IBM Spectrum Protect™ for Virtual Environments) where an authenticated user can execute GUI functions that require the Tivoli Storage Manager administrative credentials without having these credentials.
CVE(s): CVE-2016-2988
Affected product(s) and affected version(s):
The following levels of IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) are affected:
- 7.1.0.0 through 7.1.4.x
- 6.4.0.0 through 6.4.3.3
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2bJeCzw
X-Force Database: http://ift.tt/2bROeHm
from IBM Product Security Incident Response Team http://ift.tt/2bJcR5q
Like a Human: Malware Learns How to Act to Bypass the Anti-Fraud Mechanisms of the Google Play Store
Kaspersky Lab experts have discovered an Android trojan called Guerilla, which attempts to overcome the Google Play Store anti-fraud protection mechanisms. It uses a rogue Google Play client application that behaves as if there was a real human behind it. This fake app allows attackers to conduct shady advertisement campaigns using infected devices to download, install, rate and comment on the mobile applications published on Google Play. The malware is only capable of abusing Google Play mechanisms from rooted devices.
As a platform for millions of users and software developers, Google Play is an attractive target for cybercriminals. Among other things, cybercriminals use the Google Play Store to conduct so-called Shuabang campaigns, which are widespread in China. These are fraudulent advertisement activities aimed at promoting some legitimate apps by granting them the highest rates, increasing their download rates and posting positive comments about them on Google Play. The apps used to conduct these advertisement campaigns usually do not pose any “standard” threat to the owner of an infected device, such as data or money stealing, but they can still do harm: the ability to download additional apps on the infected device results in extra charges for mobile Internet traffic, and in some cases Shabang apps are capable of covertly installing paid programs, along with free ones; using the bank card attached to the victim’s Google Play account as the payment method.
To conduct these campaigns, criminals create multiple fake Google Play accounts or infect user devices with special malware, which covertly performs actions on Google Play, based on the commands received from hackers.
Although Google has strong protection mechanisms, which help detect and block fake users to prevent fraudulent operations, the authors of the Guerilla trojan seem to be trying to overcome them.
The trojan is delivered to the targeted device through Leech rootkit – a malware that gives an attacker user privileges over the infected device. These privileges give the attacker unlimited opportunities to manipulate the data on the device. Among other things it gives them access to the victim’s username, passwords, and authentication tokens, which are mandatory for an app to communicate with official Google services, and are inaccessible to ordinary applications on non-rooted devices. After installation, the Guerilla trojan uses this data to communicate with the Google Play Store as if it was real Google Play app.
The criminals are very cautious: they are careful enough to use the authentication data of a real user, and they also make requests from the fake client application, to Google Play, look exactly like requests that the real app would issue.
Another unusual thing about this trojan is that malware writers have tried to mimic the way an actual user interacts with the store. For instance, before it requests a page where a particular app is hosted, it searches for an app of interest, like a human would, should they need to find an app.
“Guerilla is not the first malicious app that tries to manipulate the Google Play store, but it does it in a pretty sophisticated way, that we haven’t seen before. The thinking behind this method is clear: Google can probably easily distinguish requests to Google Play that were made by robots – most of the Shuabang malware we know about just automatically sends out requests for the particular page of a particular app. This isn’t something that a real human would do, so it is easy for Google to see that the request is not really from an authorized user. The malware that searches an app before it goes to the app’s page is much harder to detect, as this is how most of Google Play users behave. It is important to note, however, that this malware is only capable of abusing Google Play mechanisms from rooted devices, which again reminds us of how important it is to avoid using rooted Android smartphones and tablets”, - said Nikita Buchka, security expert at Kaspersky Lab.
Kaspersky Lab products detect the Guerilla malware as: Trojan.AndroidOS.Guerrilla.a.
In order to protect yourself and your mobile device from the malware that targets Android-based devices, Kaspersky Lab’s experts advise the following:
- Restrict the installation of apps from sources different to official app stores
- Use proven protection solutions to defend your Android-based device from malware and other cyberthreats
- Don’t root your Android device
To learn more about methods that cybercriminals use to abuse Google Play Store, read the blog post available at Securelist.com.
from Corporate News http://ift.tt/2c3WgtI
Tuesday, August 30, 2016
Dropbox Hacked — More Than 68 Million Account Details Leaked Online
Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.
Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users.
However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase, Motherboard
foundaround 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users.
An unnamed Dropbox employee verified the legitimacy of the data.
Out of 68 Million, almost 32 Million passwords are secured using the strong hashing function "
BCrypt," making difficult for hackers to obtain users' actual passwords, while the rest of the passwords are hashed with the
SHA-1 hashing algorithm.
These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox.
"We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Dropbox initially
disclosedthe data breach in 2012, notifying users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn't disclose that the hackers were able to pilfer passwords too.
But earlier this week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials was obtained in 2012 data breach that may soon be seen on the
Dark Webmarketplace, prompting them to change their password if they hadn't changed since mid-2012.
"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," the company wrote. "Our analysis suggests that the credentials relate to an incident we disclosed around that time."
Dropbox is the latest to join the list of "Mega-Breaches," that revealed this summer, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including
LinkedIn,
MySpace,
VK.comand
Tumblr, were sold on Dark Web.
The takeaway:
Change your passwords for Dropbox as well as other online accounts immediately, especially if you use the same password for multiple websites.
Also use a good password manager to create complex passwords for different sites as well as remember them. We have listed some
best password managersthat could help you understand the importance of password manager and choose one according to your requirement.
from The Hacker News http://ift.tt/2c3FTxo
Palo Alto Networks beats revenue expectations for Q4
Palo Alto Networks reported its fourth quarter earnings for fiscal year 2016 on Tuesday, besting revenue expectations.
The cybersecurity firm reported non-GAAP fourth quarter earnings of $46.2 million, or 50 cents a share, on revenue of $400.8 million, up 41 percent from a year ago.
Wall Street was expecting Palo Alto to report earnings of 50 cents a share on revenue of $389.89 million.
The security software vendor expanded its customer base to approximately 34,000 in the fourth quarter. It also extended its platform capabilities and secured new strategic partnerships.
"The security industry is seeing a rapid transformation from legacy hardware and point products to integrated and automated capabilities that seamlessly work together as a platform," CEO Mark McLaughlin said in a statement. "As the primary innovator driving this paradigm shift, customers are turning to our Next-Generation Security Platform in record numbers to more effectively prevent cyberattacks no matter where their data resides."
For the full fiscal year, the company reported non-GAAP earnings of $152.6 million, or $1.67 a share, on revenue of $1.4 billion, up 49 percent.
In terms of guidance for the first quarter of fiscal year 2017, Palo Alto expects EPS in the range of 51 cents to 52 cents and revenue in the range of $396 million to $402 million.
from Latest Topic for ZDNet in... http://ift.tt/2c6B8C7
USN-3070-4: Linux kernel (Xenial HWE) vulnerabilities
Ubuntu Security Notice USN-3070-4
30th August, 2016
linux-lts-xenial vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details
USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu
16.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for
Ubuntu 14.04 LTS.
A missing permission check when settings ACLs was discovered in nfsd. A
local user could exploit this flaw to gain access to any file by setting an
ACL. (CVE-2016-1237)
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
James Patrick-Evans discovered that the airspy USB device driver in the
Linux kernel did not properly handle certain error conditions. An attacker
with physical access could use this to cause a denial of service (memory
consumption). (CVE-2016-5400)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly verify dentry state before proceeding with unlink and rename
operations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2016-6197)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 14.04 LTS:
- linux-image-4.4.0-36-generic-lpae 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-powerpc64-smp 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-powerpc-e500mc 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-powerpc64-emb 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-lowlatency 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-generic 4.4.0-36.55~14.04.1
- linux-image-4.4.0-36-powerpc-smp 4.4.0-36.55~14.04.1
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-1237, CVE-2016-5244, CVE-2016-5400, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829, CVE-2016-6197
from Ubuntu Security Notices http://ift.tt/2bPrBDg
USN-3070-3: Linux kernel (Qualcomm Snapdragon) vulnerabilities
Ubuntu Security Notice USN-3070-3
30th August, 2016
linux-snapdragon vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-snapdragon - Linux kernel for Snapdragon Processors
Details
A missing permission check when settings ACLs was discovered in nfsd. A
local user could exploit this flaw to gain access to any file by setting an
ACL. (CVE-2016-1237)
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
James Patrick-Evans discovered that the airspy USB device driver in the
Linux kernel did not properly handle certain error conditions. An attacker
with physical access could use this to cause a denial of service (memory
consumption). (CVE-2016-5400)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly verify dentry state before proceeding with unlink and rename
operations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2016-6197)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 16.04 LTS:
- linux-image-4.4.0-1024-snapdragon 4.4.0-1024.27
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-1237, CVE-2016-5244, CVE-2016-5400, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829, CVE-2016-6197
from Ubuntu Security Notices http://ift.tt/2bGvZkG
USN-3070-2: Linux kernel (Raspberry Pi 2) vulnerabilities
Ubuntu Security Notice USN-3070-2
30th August, 2016
linux-raspi2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-raspi2 - Linux kernel for Raspberry Pi 2
Details
A missing permission check when settings ACLs was discovered in nfsd. A
local user could exploit this flaw to gain access to any file by setting an
ACL. (CVE-2016-1237)
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
James Patrick-Evans discovered that the airspy USB device driver in the
Linux kernel did not properly handle certain error conditions. An attacker
with physical access could use this to cause a denial of service (memory
consumption). (CVE-2016-5400)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly verify dentry state before proceeding with unlink and rename
operations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2016-6197)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 16.04 LTS:
- linux-image-4.4.0-1021-raspi2 4.4.0-1021.27
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-1237, CVE-2016-5244, CVE-2016-5400, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829, CVE-2016-6197
from Ubuntu Security Notices http://ift.tt/2c5Pvql
Record-breaking 1.9 Gbps Internet Speed achieved over 4G Mobile Connection
, one of the biggest Finnish Internet Service Providers (ISP),
claimsto have achieved a new world record for 4G network with 1.9 gigabit-per-second (Gbps) data download speed using Huawei technology.
Currently, Sweden and the United Kingdom have been crowned as the top countries across the world when it comes to fastest mobile 3G and 4G speeds (i.e. 20-22Mbps), but now Finland is also working hard to give them a tough competition.
Elisa set this record-breaking benchmark with the help of technology provided by Chinese telecom giant Huawei that could allow real-world mobile 4G users to download a Blu-ray film in just 40-45 seconds.
4G and 5G Technology: The future of Mobile Networks
In February last year, a team of researchers from the University of Surrey managed to achieve a record-breaking
speed of 1 Terabit per second(1Tbps) during a test of 5G wireless data connections, which is over 500 times faster than Elisa's 4G speed.
While, in June last year, the International Telecommunication Union (ITU) decided that 5G compliant Internet providers will have to provide a standard
data speed of up to 20Gbps, which is still 10 times faster than Elisa's 4G speed.
But currently, the fastest available mobile 4G broadband subscription provides a speed of up to 300Mbps, while the maximum possible speed on a real-world Elisa's live network is 450Mbps.
"The speeds that the 4G network offers are continuously increasing and, possibly in the next few years, we will even be able to offer mobile data connections of several gigabits per second to our customers," says Sami Komulainen, Vice President at Elisa.
However, Elisa is not the first telecommunication company planning to offer at least 1 Gbps on 4G network within the next "
two to three years," as VodaFone Germany has also prepared to provide 1 Gbps on its 4G network by the end of 2016.
Do You Need Ultra-High Speed Mobile Internet?
You might be thinking that why a mobile user needs an ultra-high speed internet connection?
If higher speeds have the potential for a more connected world with the faster flow of information, then what's wrong in it?
Hyper-fast network speeds will not only be a boon to virtual reality and augmented reality but also will accelerate the mobile video market, facilitating the streaming of larger files, like "
high-quality 4K video and beyond."
Moreover, in today's portable world, mobile customers also make use of their mobile Internet data on their laptops and desktops via tethering feature and higher speeds will improve their Internet experience.
from The Hacker News http://ift.tt/2c5IkhI
IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects Liberty for Java for IBM Bluemix July 2016 CPU (CVE-2016-3485)
There are multiple vulnerabilities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2016. These may affect some configurations of Liberty for Java for IBM Bluemix.
CVE(s): CVE-2016-3485
Affected product(s) and affected version(s):
This vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v3.1.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2c2a7k8
X-Force Database: http://ift.tt/2b7G65u
from IBM Product Security Incident Response Team http://ift.tt/2cbMub5
IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition Version 6 SR16FP25 that affect IBM Domino. These issues were disclosed as part of the IBM Java SDK updates in July 2016, fixed with Version 6 SR16FP30.
CVE(s): CVE-2016-3598, CVE-2016-3485
Affected product(s) and affected version(s):
IBM Domino 9.0.1 through 9.0.1 FP6 IF3
IBM Domino 8.5.3 through 8.5.3 FP6 IF14
All 9.0, 8.5.x and 8.5 releases of IBM Domino prior to those listed above
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2cbMec2
X-Force Database: http://ift.tt/2aGcUP3
X-Force Database: http://ift.tt/2b7G65u
from IBM Product Security Incident Response Team http://ift.tt/2cbN3lb
IBM Security Bulletin: Vulnerability in Apache Xerces-C XML parser, including XML4C affects IBM InfoSphere Information Server (CVE-2016-0729)
Open Source Xerces-C XML parser vulnerability affects IBM InfoSphere Information Server.
CVE(s): CVE-2016-0729
Affected product(s) and affected version(s):
The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server Connectivity components, DataStage (XML input, output, and transformer stages), Information Analyzer, Quality Stage, and Information Server Pack for Data Masking: versions 8.5, 8.7, 9.1, 11.3, and 11.5
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2c28GCp
X-Force Database: http://ift.tt/297OoIU
from IBM Product Security Incident Response Team http://ift.tt/2c28fYQ
IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Omni-Channel Marketing products suite for Microsoft Windows (CVE-2016-4560)
An InstallAnywhere vulnerability was disclosed by Flexera. InstallAnywhere is used by IBM Omni-Channel Marketing products suite for Microsoft Windows. IBM Omni-Channel Marketing products suite for Microsoft Windows has addressed the applicable CVE.
CVE(s): CVE-2016-4560
Affected product(s) and affected version(s):
IBM Campaign 8.5 – 9.1.2
IBM Contact Optimisation 8.5 – 9.1.2
IBM Predictive Insight 8.5 – 9.0
IBM Marketing Operations 8.5 – 9.1.2
Unica Detect 8.5 – 8.6
IBM Interact 8.5 – 9.1.2
IBM Leads 8.5 – 9.1.0
IBM Distributed Marketing 8.5 – 9.1.2
IBM Marketing Platform 8.5 – 9.1.2
SPSS Modeler Advantage EMM Edition 8.0
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2c28rHK
X-Force Database: http://ift.tt/1Vw3dW4
from IBM Product Security Incident Response Team http://ift.tt/2c29tmP
Learning from Delta: The High Cost of Outdated Backup Systems
By Susan Richardson, Manager/Content Strategy, Code42
Chances are you know someone whose travel plans were snafued by the Delta system outage that cancelled 1,800 flights and delayed thousands more in August. IT experts are now pointing to Delta’s outdated disaster recovery technology as the culprit.
But here’s the thing: Delta thought they were ready. Delta’s CEO said the company spent “hundreds of millions of dollars” on backup systems in the past several years to protect against exactly such an incident.
Delta thought their backup was modern. Is yours?
The lesson: Disaster readiness is never done. If you’re not constantly evaluating your backup solutions, you’re putting your organization at risk—not to mention missing added value that modern solutions deliver.
Five signs you don’t have modern endpoint backup
To help you steer clear of disaster, here are five easy signs your backup system isn’t the latest technology:
1. You still get Help Desk calls to retrieve lost data.
The latest backup systems feature intuitive, self-service file restore so employees can do it themselves. Not surprisingly, enterprises with a modern endpoint backup system cited fewer file recovery-related support tickets as a top benefit in a recent survey. More importantly, IT pros were able to use the reduced support time to justify the cost of a more advanced system.
2. Your backup system doesn’t support multiple platforms.
Today, 96 percent of companies support Macs. The enterprise has gone heterogeneous and your backup system should, too. A modern endpoint backup system doesn’t discriminate between Windows, Linux or OS X and doesn’t require a cumbersome VPN connection.
3. You have no visibility into what’s on employee devices.
The latest backup systems give IT a comprehensive, single point of visibility and control across every computer and laptop in the enterprise. You gain the insight to pinpoint leaks and prevent insider threat because you know:
- Which employees are uploading which files to third-party clouds
- Which employees have transferred which files to removable media
- Which employees have uploaded which files via web browsers, including web-based email attachments
- Unusual file restores that may signal compromised credentials
- The content of files and folders
- The location of sensitive, classified and “protected” data
4. You can’t pinpoint where a breach occurred.
With legacy backup, you have to conduct lots of inquiries that take lots of time. With a modern endpoint system, you have visibility into every endpoint (see #3), so you can quickly identify where a breach occurred and reduce your Mean Time to Contain (MTTC). You also eliminate unnecessary reporting because, with 100 percent data attribution, you can be certain if a breach occurred and how many records were breached.
5. You have to confiscate a device to enact a legal hold.
Really? Are you still putting up with that significant productivity drain? With a modern endpoint backup system, your legal team can conduct in-place legal holds and file collection without confiscating user devices—and without having to rely on IT staff.
Need better backup? Start here.
If two or more of these statements apply to your organization, it’s time to go shopping for modern endpoint backup.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.
The post Learning from Delta: The High Cost of Outdated Backup Systems appeared first on Cloud Security Alliance Blog.
from Cloud Security Alliance Blog http://ift.tt/2bz6boq
Chainfire's SuHide — Now You Can Hide Your Root Status On Per-App Basis
Famous Android developer Chainfire
releasedan experimental hack with a new app, called "
Suhide," that allows users to hide the root status of their rooted Android devices on an app-by-app basis.
Rooting your Android device can bring a lot of benefits by giving you access to a wide variety of apps and deeper access to the Android system...But at what cost?
One of the major drawbacks of rooting your device is losing access to certain apps, which includes banking, payment and corporate security apps that work with financial and confidential data, such as your bank details. Such apps don't work on rooted devices.
A great example for this is Google's
Android Pay. Since its launch, developers has been working hard to get Android Pay working for rooted devices, but unfortunately, they have not gotten much success.
But Why Rooted Devices?It's because Google cares about your security.
SafetyNet — That's How Google Detects Tampered Devices
Google uses something called
SafetyNet APIto detect whether your Android device is rooted, and restricts access to those features.
If, say, your Android device got infected by some system-level malware that has the ability to spy on Android Pay and other apps, SafetyNet would prevent Android Pay from functioning.
The SafetyNet API works by checking whether an Android device has been tampered with – either it has been rooted by a user, is running a custom ROM, or infected with malware – and if found any tampering, the API blocks access to that app.
Google has also made the SafetyNet API available to all third-party app developers to check for the presence of root.
However, the
Suhideapp, developed and released by Chainfire, allows users to hide the root status of their device on an app-by-app basis, and it seems to be working with Android Pay as well.
Also Read: New Android ROM Turns into Debian Linux When Connected to a PCThe app also works with several other applications that currently require a non-rooted device for running.
Suhide works only on a stock ROM (
to beat Google's SafetyNet) based on Android 6.0 Marshmallow or higher.
However, the app probably will not last longer, as Chainfire came up with
Systemless Rootlate last year, which did not allow Android Pay to detect rooted users, but after a little while Google patched things up, rejecting rooted users once again.
So, the chances are that Google will undoubtedly catch up with Suhide and other potential hacks that allow users of rooted devices to hide the fact that they are rooted.
But for now, you can enjoy using Android Pay on your rooted device once again until Google comes up with a new update.
from The Hacker News http://ift.tt/2bWTZ5l
Two US State Election Systems Hacked to Steal Voter Databases — FBI Warns
A group of unknown hackers or an individual hacker may have breached voter registration databases for election systems in at least two US states, according to the FBI, who found evidence during an investigation this month.
Although any intrusion in the state voting system has not been reported, the FBI is currently investigating the cyberattacks on the official websites for voter registration system in both Illinois and Arizona, said
Yahoo News.
The FBI's Cyber Division released a "
Flash Alert" to election offices and officials across the United States, asking them to watch out for any potential intrusions and take better security precautions.
"In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website," the FBI alert reads.
"The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor."
The SQL injection attack on Illinois state board website took place in late July, which brought down the state’s voter registration for ten days and siphoned off data on as many as 200,000 registered voters.
However, the Arizona attack was less significant, as the hackers were not able to discover any potential loophole using a vulnerability scanning tool, which could have allowed them to steal any data successfully.
In the wake of these attacks, the FBI also advised ‘
Board of Elections’ of all States to investigate their server logs and determine whether any similar SQL injection, privilege escalation attempts, or directory enumeration activity has occurred.
Last December, a misconfigured
300GB of the databasealso resulted in the exposure of around 191 Million US Voter records, including their full names, home addresses, unique voter IDs, date of births and phone numbers.
Why Blame Russia, Always? There's No Evidence Yet
The attacks against the state election boards came weeks after the
DNC hackthat leaked embarrassing emails about the party, leading to the resignation of DNC (Democratic National Committee) Chairwoman
Debbie Wasserman Schultz.
Some security experts and law enforcement agencies raised concerns about politically motivated hacking, pointing finger over the
Russian state-sponsored hackersin an attempt to damage Hillary Clinton’s presidential campaign.
Although the FBI does not attribute the recent attacks to any particular hacking group or country, Yahoo News links the attacks to Russia on the basis of IP addresses involved.
However, those IP addresses that the FBI said were associated with the attacks belong to a Russian VPN service, which does not conclude that the Russians are behind the attacks.
It's believed that the hacks were carried out to disturb the election process either by altering voting totals in the database or by modifying the voter registration page.
Script-Kiddie Move Reveals Everything:
But, by scanning the website with a vulnerability scanner and downloading the whole database, the ‘script-kiddies’ itself made a rod for their own back, which indicates that neither they are sophisticated state-sponsored hackers, nor they had any intention to influence the election covertly.
Neither the Illinois nor Arizona board of elections have responded to these hack attempts.
from The Hacker News http://ift.tt/2byo4c3
Angler by Lurk: Why the infamous cybercriminal group that stole millions was renting out its most powerful tool
At the beginning of the summer, Kaspersky Lab assisted in the arrest of suspects that were part of the Lurk gang, which allegedly stole more than 45 million dollars from a number of companies and banks in Russia. It was the largest financial cybercrime group to be caught in recent years. However, this wasn’t the only cybercriminal activity Lurk group has been involved in. According to analysis of the IT infrastructure behind the Lurk malware, its operators were developing and renting their exploit kit out to other cybercriminals. Their Angler exploit kit is a set of malicious programs capable of exploiting vulnerabilities in widespread software and silently installing additional malware on PCs.
For years the Angler exploit kit was one of the most powerful tools on the underground available for hackers. Angler activity dates back to late 2013, when the kit became available for hire. Multiple cybecriminal groups involved in propagating different kinds of malware used it: from adware to banking malware and ransomware. In particular, this exploit kit was actively used by the group behind CryptXXX ransomware – one of the most active and dangerous ransomware threats online, TeslaCrypt and others. Angler was also used to propagate the Neverquest banking trojan, which was built to attack nearly 100 different banks. The operations of Angler were disrupted right after the arrest of the Lurk group.
As research conducted by Kaspersky Lab security experts has showed, the Angler exploit kit was originally created for a single purpose: to provide the Lurk group with a reliable and efficient delivery channel, allowing their banking malware to target PCs. Being a very closed group, Lurk tried to accumulate control over their crucial infrastructure instead of out-sourcing some parts of it as other groups do. But in 2013, things changed for the gang, and they opened access to the kit to all who were willing to pay.
“We suggest that the Lurk gang’s decision to open access to Angler was partly provoked by necessity to pay bills. By the time they opened Angler for rent, the profitability of their main “business” – cyber-robbing organizations – was decreasing due to a set of security measures implemented by remote banking system software developers. These made the process of theft much harder for these hackers. But by that time Lurk had a huge network infrastructure and a large number of “staff” - and everything had to be paid for. They therefore decided to expand their business, and they succeeded to a certain degree. While the Lurk banking trojan only posed a threat to Russian organizations, Angler has been used in attacks against users worldwide”, - explained Ruslan Stoyanov, Head of Computer incident investigations department.
The Angler exploit kit – its development and support – wasn’t the only Lurk group side activity. Over more than a five year period, the group moved from creating very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft schemes involving SIM-card swap fraud and hacking specialists familiar with the inside infrastructure of banks.
All Lurk group actions during this time were monitored and documented by Kaspersky Lab security experts.
Read more about how Kaspersky Lab researched the activity of the Lurk group over five years in an article by Ruslan Stoyanov on Securlist.com
Read more: The Lurk financial cybercrime group: What businesses can learn.
from Corporate News http://ift.tt/2bNXJmi
Monday, August 29, 2016
USN-3072-2: Linux kernel (OMAP4) vulnerabilities
Ubuntu Security Notice USN-3072-2
29th August, 2016
linux-ti-omap4 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-ti-omap4 - Linux kernel for OMAP4
Details
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 12.04 LTS:
- linux-image-3.2.0-1487-omap4 3.2.0-1487.114
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-5244, CVE-2016-5696, CVE-2016-5829
from Ubuntu Security Notices http://ift.tt/2c4Wosh
USN-3072-1: Linux kernel vulnerabilities
Ubuntu Security Notice USN-3072-1
29th August, 2016
linux vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux - Linux kernel
Details
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 12.04 LTS:
- linux-image-3.2.0-109-generic 3.2.0-109.150
- linux-image-3.2.0-109-virtual 3.2.0-109.150
- linux-image-3.2.0-109-generic-pae 3.2.0-109.150
- linux-image-3.2.0-109-powerpc64-smp 3.2.0-109.150
- linux-image-3.2.0-109-highbank 3.2.0-109.150
- linux-image-3.2.0-109-omap 3.2.0-109.150
- linux-image-3.2.0-109-powerpc-smp 3.2.0-109.150
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-5244, CVE-2016-5696, CVE-2016-5829
from Ubuntu Security Notices http://ift.tt/2bMQL5p
USN-3071-2: Linux kernel (Trusty HWE) vulnerabilities
Ubuntu Security Notice USN-3071-2
29th August, 2016
linux-lts-trusty vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise
Details
USN-3071-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for
Ubuntu 12.04 LTS.
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 12.04 LTS:
- linux-image-3.13.0-95-generic 3.13.0-95.142~precise1
- linux-image-3.13.0-95-generic-lpae 3.13.0-95.142~precise1
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-5244, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829
from Ubuntu Security Notices http://ift.tt/2c3oMKK
USN-3071-1: Linux kernel vulnerabilities
Ubuntu Security Notice USN-3071-1
29th August, 2016
linux vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux - Linux kernel
Details
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 14.04 LTS:
- linux-image-3.13.0-95-powerpc64-smp 3.13.0-95.142
- linux-image-3.13.0-95-generic-lpae 3.13.0-95.142
- linux-image-3.13.0-95-powerpc-e500mc 3.13.0-95.142
- linux-image-3.13.0-95-lowlatency 3.13.0-95.142
- linux-image-3.13.0-95-powerpc64-emb 3.13.0-95.142
- linux-image-3.13.0-95-generic 3.13.0-95.142
- linux-image-3.13.0-95-powerpc-smp 3.13.0-95.142
- linux-image-3.13.0-95-powerpc-e500 3.13.0-95.142
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-5244, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829
from Ubuntu Security Notices http://ift.tt/2c3q5JK
USN-3070-1: Linux kernel vulnerabilities
Ubuntu Security Notice USN-3070-1
29th August, 2016
linux vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux - Linux kernel
Details
A missing permission check when settings ACLs was discovered in nfsd. A
local user could exploit this flaw to gain access to any file by setting an
ACL. (CVE-2016-1237)
Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)
James Patrick-Evans discovered that the airspy USB device driver in the
Linux kernel did not properly handle certain error conditions. An attacker
with physical access could use this to cause a denial of service (memory
consumption). (CVE-2016-5400)
Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)
Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)
Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)
It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly verify dentry state before proceeding with unlink and rename
operations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2016-6197)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 16.04 LTS:
- linux-image-4.4.0-36-generic-lpae 4.4.0-36.55
- linux-image-4.4.0-36-powerpc64-smp 4.4.0-36.55
- linux-image-4.4.0-36-powerpc-e500mc 4.4.0-36.55
- linux-image-4.4.0-36-powerpc64-emb 4.4.0-36.55
- linux-image-4.4.0-36-lowlatency 4.4.0-36.55
- linux-image-4.4.0-36-generic 4.4.0-36.55
- linux-image-4.4.0-36-powerpc-smp 4.4.0-36.55
To update your system, please follow these instructions: http://ift.tt/17VXqjU.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
CVE-2016-1237, CVE-2016-5244, CVE-2016-5400, CVE-2016-5696, CVE-2016-5728, CVE-2016-5828, CVE-2016-5829, CVE-2016-6197
from Ubuntu Security Notices http://ift.tt/2c4XsMD
Chinese Certificate Authority 'mistakenly' gave out SSL Certs for GitHub Domains
A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain.
The certificate authority, named
WoSign, issued a base
certificate for the Githubdomains to an unnamed GitHub user.
But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken?
Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data.
But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA.
...and that's the biggest loophole in the CA system.
In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain.
The incident was first publicly disclosed by British Mozilla programmer
Gervase Markhamon Mozilla's security policy mailing list saying the issue occurred over a year ago in July 2015 but went unreported.
"In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain," Markham wrote in the mailing list.
According to Markham, an unnamed security researcher accidentally discovered this security blunder when trying to get a certificate for 'med.ucf.edu' but mistakenly also applied for 'www.ucf.edu' and WoSign approved it, handing over the certificate for the university's primary domain.
For testing purpose, the researcher also used this trick against Github base domains i.e. github.com and github.io, by proving his control over a user-based subdomain.
...And guess what? WoSign handed over the certificate for GitHub main domains, too.
The researcher reported this issue to WoSign by giving only the Github certificate as an example. Thus, the Chinese CA only revoked the GitHub certificate, despite revoking both the certificates.
Why Just One?It is quite possible that the CA company doesn't have any tracking ability to discover and revoke all mistakenly issued base certificates for other domains by self-investigation even after getting informed of the problem.
The researcher recently got in touch with Google and reported that the ucf.edu cert had still not been revoked almost a year later.
How to check whether a rogue cert for your domain has been issued to someone else, probably a malicious attacker? Solution: Certificate Transparencyor CT, a public service that allows individuals and companies to monitor how many digital security certs have secretly been issued for their domains.
Certificate Transparency requires CAs to declare publicly (to Certificate Log) every digital cert they have generated. Even WoSign has participated in CT.
Certificate Log offers you a way to look up all of the digital certificates that have been issued for your domain name.
Also read:Learn How Certificate Transparency Monitoring
Tool Helped FacebookEarly Detect Duplicate SSL Certs?
Although Certificate Transparency doesn't prevent CA from issuing forged certificates, it makes the process of detecting rogue certificates much easier.
Currently, Google, Symantec, DigiCert, and a few other CAs are hosting
public CT logs.
You can try Google's
Certificate Transparency Lookup Toolor Comodo's
Certificate Transparency Search toolto check all certificates present in public Certificate Transparency logs that have been issued for your domain.
If you find a fraud certificate issued for your domain, report respective CA and address it immediately.
from The Hacker News http://ift.tt/2bwY1BK
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8.0 that is used by IBM Development Package for Apache Spark. These issues were disclosed as part of the IBM Java SDK updates in April 2016.
CVE(s):
If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for “IBM Java SDK Bulletin” located in the “References” section for more information.
The only CVEs that affect IBM SDK, Java Technology Edition, Version 8.0 are: CVE-2016-3598, CVE-2016-3511, and CVE-2016-3485.
Affected product(s) and affected version(s):
Principal Product and Version(s) | Affected IBM Java SDK Version |
IBM Development Package for Apache Spark 1.6.2.0 and earlier releases | IBM SDK, Java Technology Edition, Version 8.0 Service Refresh 3 and earlier releases |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2c9gSmz
IBM Java SDK Bulletin: http://ift.tt/2c0db0s
from IBM Product Security Incident Response Team http://ift.tt/2c9hqcb
Cisco Adaptive Security Appliance Xlates Table Exhaustion Vulnerability
The vulnerability is due to the improper implementation of the Network Address Translation (NAT) process by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the targeted device. If successful, an attacker could cause a delay in new valid connections until the invalid entries expire, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. However, mitigations for this vulnerability are available.
This advisory is available at the following link:
http://ift.tt/2c9aVGm
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available. Cisco Adaptive Security Appliance (ASA) Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to the improper implementation of the Network Address Translation (NAT) process by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the targeted device. If successful, an attacker could cause a delay in new valid connections until the invalid entries expire, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. However, mitigations for this vulnerability are available.
This advisory is available at the following link:
http://ift.tt/2c9aVGm
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Security Impact Rating: Medium
CVE: CVE-2013-1138
from Cisco Security Advisory http://ift.tt/2c9aVGm