SymmetricalDataSecurity: August 2019

Saturday, August 31, 2019

Brazilian citizen data under threat with sale of national tech firms

IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321)

IBM® Intelligent Operations Center does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

CVE(s): CVE-2019-4321

Affected product(s) and affected version(s):
This vulnerability affects the following products and versions:

IBM® Intelligent Operations Center V5.1.0 – V5.2.0
IBM® Intelligent Operations Center for Emergency Management V5.1.0 – V5.1.0.6
IBM® Water Operations for Waternamics V5.1.0 – V5.2.1.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10885901
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/161201

The post IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2MPainG

Friday, August 30, 2019

WordPress sites under attack as hacker group tries to create rogue admin accounts

Jack Dorsey's Twitter account got hacked

New Forensic Investigation Procedures for First Responder Guides

Cisco is pleased to announce a new series of Forensic Investigation Procedures for First Responders guides that will help customers and partners triage Cisco products that are suspected of being tampered with or compromised. These guides provide step-by-step instructions for collecting information that first responders can use for forensic analysis for several different platforms, including devices that run Cisco IOS and IOS XE Software, and devices that run Cisco ASA or Firepower Threat Defense (FTD) Software.

These new documents are available on the Cisco.com Security Portal under Tactical Resources.

The following is a summary of the documents released thus far, along with a brief description of each one.

Cisco ASA Forensic Investigation Procedures for First Responders

This document provides guidance for collecting forensic evidence from the Cisco ASA 5500-X series of devices when compromise or tampering is suspected. It outlines several procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying the system and running images for proper signing characteristics, checking the ROM monitor configuration for signs of remote image loading, and procedures for obtaining both a core file and the memory text segment from an ASA platform.

The document also includes a procedure for checking the integrity of the webvpn configuration for ASA deployments implementing SSL VPN.

Cisco FTD Forensic Investigation Procedures for First Responders

This document provides steps for collecting forensic information from Cisco ASA 5500-X devices running Firepower Threat Defense (FTD) Software when compromise or tampering is suspected. This document contains procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying proper signing characteristics of FTD system and running images, retrieving and verifying the memory text segment, generating and retrieving both crashinfo and core files, and examining the ROM monitor settings for remote system image loading.

Cisco IOS Software Forensic Investigation Procedures for First Responders

This document provides guidance for collecting evidence from Cisco IOS devices when compromise or tampering is suspected and includes procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, examining the ROM monitor region for an upgraded image, and obtaining both a core dump of the running IOS image and the contents of the memory text region.

The document also includes a procedure that provides an alternate method of image analysis if a core dump cannot be performed on a platform that is performing mission-critical traffic forwarding.

Cisco IOS XE Software Forensic Investigation Procedures for First Responders

This document provides guidance for collecting evidence from Cisco IOS XE devices when compromise or tampering is suspected and includes procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying the integrity and signing characteristics of system and running images, and exporting the text memory segment to verify the run time integrity of the IOSd process.

Dan Maunz, an Incident Manager in the CX Security Programs group contributed content for this article.

from Cisco Blog » Security https://ift.tt/2ZKDPFb

Face-Off

Threat Roundup for August 23 to August 30

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 23 and Aug. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Reference:

TRU08302019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

from Cisco Blog » Security https://ift.tt/2HDaYbw

Hack Exploited Apple Users for Two Years

Biometric ID Cards Ahoy!

Foxit PDF Software Company Suffers Data Breach—Asks Users to Reset Password

If you have an online account with Foxit Software, you need to reset your account password immediately—as an unknown attacker has compromised your personal data and log-in credentials.

Foxit Software, a company known for its popular lightweight Foxit PDF Reader and PhantomPDF applications being used by over 525 million users, today announced a data breach exposing the personal information of 'My Account' service users.

Though for using free versions of any Foxit PDF software doesn't require users to sign up with an account, the membership is mandatory for customers who want to access "software trial downloads, order histories, product registration information, and troubleshooting and support information."

According to a

blog post

published today by Foxit, unknown third-parties gained unauthorized access to its data systems recently and accessed its "My Account" registered users' data, including their email addresses, passwords, users' names, phone numbers, company names, and IP addresses.

From the company's statement, it's not clear, if the leaked account passwords are protected with a robust hashing algorithm and salting mechanism to make it tough for hackers to crack them.

However, the company assured its users that no payment card details or other personal identification data of its My Account users had been accessed since the compromised system doesn't hold this data.

Reset Your 'My Account' Password Now!

In response to this security incident, Foxit has immediately invalidated the account passwords for all affected users, requiring them to reset their passwords to regain access to their online account on the Foxit Software website.

The company has also launched a digital forensics investigation as well as notified law enforcement agencies and data protection authorities of the incident.

Besides this, Foxit Software has also hired a security management firm to conduct an in-depth analysis of its systems and strengthen their security in order to protect the company against future cybersecurity incidents.

Following the password reset, the company has also contacted affected users via email (as shown above in the screenshot

shared by a user

), providing them with a link to create a new, strong and unique password for their accounts to prevent any unauthorized access.

Foxit users have also been recommended to remain vigilant by being cautious of any suspicious emails asking them to click on the links or download attachments, and reviewing their account statements and monitoring their credit reports to avoid identity theft.

from The Hacker News https://ift.tt/2MMA0cu

Company behind Foxit PDF Reader announces security breach

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services

There are multiple vulnerabilities in IBM® Runtime Environment Java Version JRE71SR4FP45 and JRE8SR5FP36 used by Collaboration and Deployment Services on AIX 64-bit pSeries platform. These issues were disclosed as part of the IBM Java SDK updates in July 2019.

CVE(s): CVE-2019-4473, CVE-2019-11771

Affected product(s) and affected version(s):
IBM SPSS Collaboration and Deployment Services 7.0.0.1, 8.0.0.0, 8.1.0.0, 8.2, 8.2.1.0.

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2UeLXse

IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za

AT&T has released versions 1801-za for the Vyatta 5600. Details of these releases can be found at https://ift.tt/2zxco2L

CVE(s): CVE-2019-12749, CVE-2016-10228, CVE-2016-6323, CVE-2015-5180, CVE-2017-1000366, CVE-2017-16887, CVE-2017-12133, CVE-2017-15804, CVE-2017-15671, CVE-2017-15670, CVE-2018-6485, CVE-2018-1000001, CVE-2017-12132, CVE-2019-12735, CVE-2019-10161, CVE-2018-20843, CVE-2019-11884, CVE-2019-11833, CVE-2019-11815, CVE-2019-11599, CVE-2019-11486, CVE-2019-11479, CVE-2019-11478, CVE-2019-11477, CVE-2019-10126, CVE-2019-9503, CVE-2019-9500, CVE-2019-5489, CVE-2019-3846, CVE-2019-1543, CVE-2019-13132

Affected product(s) and affected version(s):
VRA – Vyatta 5600

The post IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/34csBs6

IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z

AT&T has released versions 1801-z for the Vyatta 5600. Details of these releases can be found at https://ift.tt/2zxco2L

CVE(s): CVE-2019-3863, CVE-2019-3862, CVE-2019-3861, CVE-2019-3860, CVE-2019-3859, CVE-2019-3858, CVE-2019-3857, CVE-2019-3856, CVE-2019-3855, CVE-2019-6465, CVE-2018-5745, CVE-2018-5743, CVE-2019-8325, CVE-2019-8324, CVE-2019-8323, CVE-2019-8322, CVE-2019-8321, CVE-2019-8320, CVE-2019-7317

Affected product(s) and affected version(s):
VRA – Vyatta 5600

The post IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2UeLVAC

IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities.

IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat.

CVE(s): CVE-2019-0199

Affected product(s) and affected version(s):

WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0

WebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2

App Connect Professional v 7.5.2.0

App Connect Professional v 7.5.3.0

The post IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2HwovS0

Using cloud, big data and biometrics to build the airport of the future

Fileless Malware Detections Soar 265% in 2019

HackerOne Announces Five New $1m White Hats

Ransomware Hits Dental Data Backup Service Offering Ransomware Protection

THIS WEEK IN THE IRONIC NEWS:

DDS Safe, an online cloud-based data backup system that hundreds of dental practice offices across the United States are using to safeguard medical records and other information of their patients from ransomware attacks has been hit with ransomware.

Provided by two Wisconsin-based companies, Digital Dental Record and PerCSoft, the backend system of affected medical records retention and backup solutions has probably been hit by

Sodinokibi ransomware

, also known as Sodin or REvil malware.

Though it's not yet clear how attackers managed to compromise the company's infrastructure, the latest ransomware attack is yet another example of successful supply chain attack, crippling computer systems in 400 dental practice offices around the United States this week.

According to

statements

released by both companies, the ransomware virus hit a remote data management software on Monday, August 26, that DDS Safe uses to back up its client data and encrypted files of hundreds of dental practice customers relying on the backup solution.

The ransomware attack had some serious effect on some dental offices, with one McFarland dentist

quoted

by CNN as saying: "We have no access to the patient charts, schedule, x-rays, or payment ledger. The doctor cannot do proper treatment without a chart history and x-rays."

Ransomware virus typically encrypts all files on the targeted computers and then demands a ransom (usually in Bitcoins) in exchange for the decryptor from the attacker that helps the victims regain access to their important files.

At the time of writing, the company claimed to have a decryptor that they are using to help affected customers decrypt their files at a good rate of succession.

"PerCSoft assures us it is working to restore files as quickly and completely as possible, but restoration is a slow and methodical process that could take several days to complete," the Digital Dental Record said.

However, the official statements from the companies haven't particularly mentioned how they got their hands on the ransomware decryption software, suggesting that the unknown amount of ransom has been paid to the cybercriminals.

Meanwhile, the companies said they are actively working with the Federal Bureau of Investigation's Cyber Crime Unit to thoroughly investigate the incident, adding that they have been in touch with most of the affected customers, describing them as "only a small percentage of the affected practices."

This year has seen a rise in ransomware attacks against public infrastructure and government institutions, from where cybercriminals seek successful returns as most of the times the targeted organizations content is vital to the public interest.

Earlier this year, ransomware crippled computer system infrastructure of multiple states in the United States, including

Florida

Baltimore

, and Texas. In March, ransomware also

hit Norsk Hydro

, forcing the Aluminum giant to shut down several plants and switch to manual operations.

Just last week, some residents of South Africa financial capital Johannesburg

were left without electricity

after the city's power company got attacked by a ransomware virus.

from The Hacker News https://ift.tt/2Hxd5h2

Huawei Faces Android Blackout on 5G Smartphone

Google finds malicious sites pushing iOS exploits for years

Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years

Beware Apple users!

Your iPhone can be hacked just by visiting an innocent-looking website, confirms a terrifying report Google researchers released earlier today.

The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google's Project Zero discovered earlier this year in the wild, involving at least five unique iPhone exploit chains capable of remotely jailbreaking an iPhone and implanting spyware on it.

Those iOS exploit chains were found exploiting a total of 14 separate vulnerabilities in Apple's iOS mobile operating system—of which 7 flaws resided in Safari web browser, 5 in the iOS kernel and 2 separate sandbox escape issues—targeting devices with almost every version in that time-frame from iOS 10 through to the latest version of iOS 12.

According to a deep-dive

blog post

published by Project Zero researcher Ian Beer, only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpatched at the time of discovery—and surprisingly, the campaign remained undetected for at least two years.

Though the technical details and background story of both then-zero-day vulnerabilities were not available at that time,

The Hacker News warned

about both the flaws in February after Apple released iOS version 12.1.4 to address them.

"We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019," Beer says.

Now, as Google researcher explained, the attack was being carried out through a small collection of hacked websites with thousands of visitors per week, targeting every iOS user landing on those websites without discrimination.

"Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Beer says.

Once an iPhone user visited one of the hacked websites through the vulnerable Safari web browser, it triggered WebKit exploits for each exploit chain in an attempt to gain an initial foothold onto the user's iOS device and stage the privilege escalation exploits to further gain root access to the device, which is the highest level of access.

The iPhone exploits were used to deploy an implant primarily designed to steal files like iMessages, photos, and live GPS location data of users, and upload them to an external server every 60 seconds.

"There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system," Beers explains.

The spyware implant also stole the database files from the victim's device used by popular end-to-end encryption apps like Whatsapp, Telegram, and iMessage to store data, including private chats in the plaintext.

In addition, the implant also had access to users' device's keychain data containing credentials, authentication tokens, and certificates used on and by the device.

"The keychain also contains the long-lived tokens used by services such as Google's iOS Single-Sign-On to enable Google apps to access the user's account. These will be uploaded to the attackers and can then be used to maintain access to the user's Google account, even once the implant is no longer running," Beers says.

While the implant would be automatically wiped off from an infected iPhone upon rebooting thereby leaving no trace of itself, visiting the hacked site again would reinstall the implant.

Alternatively, as Beer explains, the attackers may "nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."

Takeaway: Since Apple already patched the majority of vulnerabilities exploited by the uncovered iPhone exploits, users are always recommended to keep their devices up-to-date to avoid becoming victims of such attack chains.

from The Hacker News https://ift.tt/32oDJkf

Thursday, August 29, 2019

Some of Russia's surveillance tech leaked data for more than a year

Russian police take down malware gang who infected 800,000+ Android smartphones

Drained Batteries? These Stealth Ad-Clicking Apps Could Be to Blame

Google Will Now Pay Anyone Who Reports Apps Abusing Users' Data

In the wake of data abuse scandals and several instances of malware app being discovered on the Play Store, Google today expanded its bug bounty program to beef up the security of Android apps and Chrome extensions distributed through its platform.

The expansion in Google's vulnerability reward program majorly includes two main announcements.

First, a new program, dubbed 'Developer Data Protection Reward Program' (DDPRP), wherein Google will reward security researchers and hackers who find "verifiably and unambiguous evidence" of data abuse issues in Android apps, OAuth projects, and Chrome extensions.

Second, expanding the scope of its Google Play Security Rewards Program (GPSRP) to include all Android apps from the Google Play Store with over 100 million or more installs, helping affected app developers fix vulnerabilities through responsibly disclosures.'

Get Bounty to Find Data-Abusing Android & Chrome Apps

The

data abuse bug bounty program

aims to avoid scandals like

Cambridge Analytica

that hit Facebook with

$5 billion in fines

for failing to identify situations where user data is being used or sold unexpectedly or repurposed illegitimately without user consent.

"If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store," Google says in its blog post published today.

"In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed."

Google has not yet announced any reward table for the DDPRP program but ensured that a single report could net up to $50,000 in bounty depending on the impact.

Bug Bounty On All Android Apps With 100 Million+ Downloads

On the other hand, the GPSRP Program, which was initially launched in 2017, was until today limited to only reporting vulnerabilities in popular Android apps in Google Play Store.

With the latest announcement, Google will now work with developers of hundreds of thousands of Android apps, each with at least 100 million downloads, helping them to receive vulnerability reports and instructions on how to patch them over their Play Consoles.

"These apps are now eligible for rewards, even if the app developers don't have their own vulnerability disclosure or bug bounty program," Google says.

"If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google."

Part of Google's App Security Improvement (ASI) program, this existing initiative has already helped over 300,000 developers fix more than 1,000,000 apps on the Google Play Store.

Hopefully, both measures will now allow Google to prevent malicious Android apps and Chrome extensions from abusing its users' data, as well as to beef up the security of apps distributed through Play Store.

from The Hacker News https://ift.tt/2ZBTeTU

Cisco Advanced Malware Protection for Endpoints Awarded AV-Comparatives’ Approved Business Product Award

We are very pleased to share the news that our Advanced Malware Protection (AMP) for Endpoints won the Approved Business Security Award from AV-Comparatives. And we’re happy about this for a couple of reasons. (Click this link to read the full report.)

Most vendors’ marketing materials look great, your organization exists in the real world. So, having an independent third-party conduct months of testing against our technology, and us coming out a winner, helps to show the world what our customers already know: that the strength, flexibility, and ease of use of our endpoint security establishes our leadership. We have over a decade of experience in endpoint protection through Immunet (creators of AMP) and Sourcefire (creators of ClamAV).

AV-Comparatives’ Business Main-Test Series ran from March to June and consisted of two, in-depth tests:

The Malware Protection Test

This test ran in March and consisted of having 1,311 malware samples thrown at us during that time. A passing score required a 90% or higher detection rate and this time zero false positives. We did very well scoring a 99.8% with zero false positives.

The Real-World Protection Test

The idea here was to mimic what happens in, well, the real world. This test ran from March to June and was based upon 732 test cases. The focus here was on user behaviors such as clicking malicious links, opening malicious email attachments, etc.

An efficacy score of 90% or higher and a false positive count of 100 or less were the criteria to pass this test. And, we came in with 98.9% and ranked in the lowest false positive group.

In short, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. AV-Comparatives also highlighted Cisco’s broad endpoint platform support and relative ease of deployment.

Beyond antivirus

Secondly, we view this report as further evidence that the security world has moved past the legacy world of antivirus. I’m not saying antivirus doesn’t have a role to play in endpoint security. Our own ClamAV is one of the several mechanisms that AMP for Endpoints uses. What I am saying is that the ‘antivirus as a sole means of endpoint protection’ ship has sailed – and sailed a long time ago.

The biggest problem with antivirus is that it’s not operationally efficient. That means a lower return on your investment and weaker protection of your business. Back in my IT days in the late 90s and early 2000s, antivirus was a big deal, but it was tough enough to administer when I was at a small, two-office operation let alone when I moved up a 50,000-user, global enterprise. And when the Love Letter worm hit us in 2003, that was a couple days and nights of manual remediation for our entire department, worldwide, because antivirus couldn’t remediate the problem or identify infected hosts.

Now fast forward to today’s world of fileless malware and multi-vector attacks that combine email, web, endpoints, etc. What’s antivirus going to do about those? The answer is pretty obvious.

What was surprising for me to learn recently was that the majority of organizations out there still rely on antivirus for their endpoint protection. I attribute this to deployment fatigue. Rolling out software is hard. I know. I’ve deployed my share of enterprise software. The good news about AMP for Endpoints is that we can be up and running quickly, as noted on page 28 of the AV-Comparatives report:

“Getting started with Cisco Advanced Malware Protection for Endpoints is very straightforward. The console requires no setup, and deploying the client software is quick and easy.”

The Big Picture

We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. (I’ve included links to other real-world tests below.) We also believe that strong endpoint protection comes from being a part of an integrated security portfolio. One that dynamically shares the latest threat intelligence is the most effective way to defend against modern attacks. And we’ve designed our integrated security portfolio to do exactly that. But that’s another story for another day.

What’s next?

AV-Comparatives’ testing is continuing through the end of the year and we are looking forward to their year-end report. Tune in here for those results.

Can’t wait for the report? Experience threat hunting with AMP for Endpoints for yourself at one of our Threat Hunting Workshops, or if you can’t wait for the event, sign up for a free trial of AMP for Endpoints at https://cisco.com/go/ampendpoints and see for yourself.

Additional reading

NSS: Achieved “Recommended” rating
Miercom: Achieved “Miercom Performance Verified” certification

from Cisco Blog » Security https://ift.tt/2PnJCfS

Google adds all Android apps with +100m installs to its bug bounty program

Google launches bounty program to spot misuses of Google API, Chrome, and Android user data

Ransomware hits hundreds of dentist offices in the US

Capital One Hacker Also Accused of Hacking 30 More Companies and CryptoJacking

Former Amazon employee

Paige Thompson

, who was arrested last month in relation to the

Capital One data breach

, has been accused of hacking not only the U.S. credit card issuer, but also more than 30 other companies.

An indictment unsealed on Wednesday revealed that Thompson not just stole data from misconfigured servers hosted with a cloud-computing company, but also used the computing power of hacked servers to mine for cryptocurrency, a practice commonly known as "

Cryptojacking

Thompson, known online as "erratic," was arrested by the FBI on July 29 concerning a massive breach in Capital One Financial Corp that exposed the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada.

The stolen data included approximately 140,000 Social Security numbers and 80,000 bank account numbers linked to United States customers, and 1 million Social Insurance numbers belonged to Canadian citizens, along with some customers' names, addresses, dates of birth, credit scores, credit limits, balances, payment history, and contact information.

Law enforcement became aware of Thompson's activity after she posted information relating to her theft of Capital One data on her GitHub account.

However, a federal grand jury yesterday charged Thompson with a total of two counts—one count of wire fraud and one count of computer fraud and abuse—for illicitly accessing data on more than 30 other entities, including Capital One, U.S. Department of Justice (DOJ)

said

While the indictment [

PDF

] did not name the involved cloud-computing company, it's highly likely to be Amazon as Thompson previously worked for Amazon Web Services, which provides cloud computing services to Capital One among others.

But it should also be noted that Amazon Web Services was not compromised in any way since Thompson gained access to the cloud server due to Capital One's misconfiguration and not through a vulnerability in Amazon's infrastructure.

The indictment also did not provide names of the other 30 victims, but it did describe three of the targeted organizations as a state agency outside the State of Washington, a telecommunications conglomerate outside the U.S. and a public research university outside the State of Washington.

Investigators have found no evidence of Thompson selling or disseminating any of the stolen information.

The 33-year-old Seattle-based software engineer remains in custody and is scheduled to be arraigned on the indictment in U.S. District Court in Seattle on September 5. She could face up to 25 years in prison if convicted.

from The Hacker News https://ift.tt/2NEXfos

Cisco Releases Security Updates for Multiple Products

Original release date: August 29, 2019

Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

REST API Container for IOS XE Software Authentication Bypass Vulnerability cisco-sa-20190828-iosxe-rest-auth-bypass
Unified Computing System Fabric Interconnect root Privilege Escalation Vulnerability cisco-sa-20190828-ucs-privescalation
NX-OS Software Remote Management Memory Leak Denial of Service Vulnerability cisco-sa-20190828-nxos-memleak-dos
NX-OS Software IPv6 Denial of Service Vulnerability cisco-sa-20190828-nxos-ipv6-dos
NX-OS Software Cisco Fabric Services over IP Denial of Service Vulnerability cisco-sa-20190828-nxos-fsip-dos
FXOS and NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability cisco-sa-20190828-fxnxos-snmp-dos
NX-OS Software SNMP Access Control List Configuration Name Bypass Vulnerability cisco-sa-20190828-nxos-snmp-bypass
NX-OS Software Network Time Protocol Denial of Service Vulnerability cisco-sa-20190828-nxos-ntp-dos
NX-OS Software NX-API Denial of Service Vulnerability cisco-sa-20190828-nxos-api-dos
Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning Vulnerability cisco-sa-20190828-nexus-aci-dos

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2Zqav7h

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server

There are multiple vulnerabilities in IBM® Runtime Environment Java Versions 7 & 8 used by IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server. IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server have addressed the applicable CVEs.

CVE(s): CVE-2019-2816, CVE-2019-4473, CVE-2019-11771

Affected product(s) and affected version(s):
IBM CPLEX Optimization Studio and IBM CPLEX Enterprise Server 12.9 and earlier releases

IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 40 and earlier releases IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 30 and earlier releases

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2LdCZr7

IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i

OpenSSL is used by IBM i. IBM i has addressed the applicable CVE.

CVE(s): CVE-2019-1543

Affected product(s) and affected version(s):
Releases 7.1, 7.2, 7.3 and 7.4 of IBM i are affected.

The post IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2Zr5iw8

IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559)

Security vulnerabilities have been discovered in OpenSSL.

CVE(s): CVE-2019-1559

Affected product(s) and affected version(s):

These vulnerabilities are known to affect the following offerings:

IBM InfoSphere Master Data Management	V11.0
IBM InfoSphere Master Data Management	V11.3
IBM InfoSphere Master Data Management	V11.4
IBM InfoSphere Master Data Management	V11.5
IBM InfoSphere Master Data Management	V11.6

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm11072044
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/157514

The post IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2LdCYDz

These two Android apps with 1.5 million downloads were secretly clicking on ads

VMworld 2019: VMware expands its multicloud, security, Kubernetes strategies

Global Breach Costs Set to Top $5 Trillion By 2024

Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw

Alleged Capital One Hacker Also Accused of Crypto-Jacking

Hong Kong ISPs Hit Back at Government Censorship

Apple Changes the Way It Listens to Your Siri Recordings Following Privacy Concerns

Apple today announced some major changes to its controversial 'Siri audio grading program' following criticism for employing humans to listen to audio recordings of users collected via its voice-controlled Siri personal assistant without their knowledge or consent.

The move came a month after The Guardian

reported

that third-party contractors were regularly listening to private conversations of Apple users giving voice commands to Siri in a bid to improve the quality of its product's response.

While the data received by the contractors were anonymized and not associated to Apple devices, the private conversations—which also includes private discussions between doctors and patients, business deals, seemingly criminal dealings, people having sex and so on—sometimes reveal identifiable details like a person's name or medical records.

In response to the backlash Apple received after the report went public, the company initially responded by temporarily suspending the program earlier this month while it thoroughly reviewed its practices and policies.

Now, Apple today

revealed

that the company intends to continue that program in the fall, but only after making three significant changes to it, as mentioned below:

First, Apple will no longer retain audio recordings of Siri interactions by default. Instead, the company will continue to use computer-generated transcripts to help Siri improve.
Second, Apple will allow users to opt-in to having their audio recordings listened to by human reviewers to help improve Siri's responses. Users who choose to participate can opt-out at any time.
Third, if you opt in to the grading program, only Apple employees will be allowed to listen to audio samples of your Siri interactions, rather than third-party contractors. The company also aims to delete Siri recordings when it determines users triggered it accidentally.

As a result of these changes, at least 300 contractors in Europe who were part of Apple's grading program have lost their jobs, The Irish Times

reports

Besides announcing the changes, Apple also assured its users that its Siri personal assistant has never been used outside the company, saying:

"When we store Siri data on our servers, we don't use it to build a marketing profile, and we never sell it to anyone. We use Siri data only to improve Siri, and we are constantly developing technologies to make Siri even more private."

The next iOS software update for iPhones is expected to be released in early October and could be the one where Apple would have been able to implement the promised opt-out capability to its Siri grading system.

Apple is not the only major technology company that has been found listening to its smart assistant recordings and forced to rethink its approach to reviewing users' audio recordings amid privacy concerns.

Earlier this month, Google temporarily stopped human contractors

from listening

to Assistant recordings around the world. Amazon also

changed its settings

to its users opt-out of having their Alexa recordings reviewed by humans.

from The Hacker News https://ift.tt/2MJ6uUC

Australia's consumer energy data to be made open under CDR

Wednesday, August 28, 2019

USN-4112-1: Ceph vulnerability

ceph vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 19.04
Ubuntu 18.04 LTS

Summary

Ceph could be made to crash if it received specially crafted network traffic.

Software Description

ceph - distributed storage and file system

Details

Abhishek Lekshmanan discovered that the RADOS gateway implementation in Ceph did not handle client disconnects properly in some situations. A remote attacker could use this to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04: ceph - 13.2.6-0ubuntu0.19.04.3; radosgw - 13.2.6-0ubuntu0.19.04.3
Ubuntu 18.04 LTS: ceph - 12.2.12-0ubuntu0.18.04.2; radosgw - 12.2.12-0ubuntu0.18.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2019-10222

from Ubuntu Security Notices https://ift.tt/2MQpzEP

USN-4111-1: Ghostscript vulnerabilities

ghostscript vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS

Summary

Ghostscript could be made to access arbitrary files if it opened a specially crafted file.

Software Description

ghostscript - PostScript and PDF interpreter

Details

Hiroki Matsukuma discovered that the PDF interpreter in Ghostscript did not properly restrict privileged calls when ‘-dSAFER’ restrictions were in effect. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files. (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04: ghostscript - 9.26~dfsg+0-0ubuntu7.3; libgs9 - 9.26~dfsg+0-0ubuntu7.3
Ubuntu 18.04 LTS: ghostscript - 9.26~dfsg+0-0ubuntu0.18.04.11; libgs9 - 9.26~dfsg+0-0ubuntu0.18.04.11
Ubuntu 16.04 LTS: ghostscript - 9.26~dfsg+0-0ubuntu0.16.04.11; libgs9 - 9.26~dfsg+0-0ubuntu0.16.04.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

from Ubuntu Security Notices https://ift.tt/326SuYs

Hong Kong ISPs oppose any government plans to restrict internet network

Cisco NX-OS Software Cisco Fabric Services over IP Denial of Service Vulnerability

High

Advisory ID:

cisco-sa-20190828-nxos-fsip-dos

First Published:

2019 August 28 16:00 GMT

Version 1.0:

Final

Workarounds:

No workarounds available

Cisco Bug IDs:

,CSCva64492,CSCvj59058,CSCvk70625,CSCvk70631,CSCvk70632,CSCvk70633

CVE-2019-1962

CWE-20

CVSS Score:

Base 8.6

Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

CVE-2019-1962

CWE-20

Download CVRF

Download PDF

Summary

A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause process crashes, which can result in a denial of service (DoS) condition on an affected system.

The vulnerability is due to insufficient validation of TCP packets when processed by the Cisco Fabric Services over IP (CFSoIP) feature. An attacker could exploit this vulnerability by sending a malicious Cisco Fabric Services TCP packet to an affected device. A successful exploit could allow the attacker to cause process crashes, resulting in a device reload and a DoS condition.

Note: There are three distribution methods that can be configured for Cisco Fabric Services. This vulnerability affects only distribution method CFSoIP, which is disabled by default. See the Details section for more information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
This advisory is part of the August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes five Cisco Security Advisories that describe five vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Affected Products

Vulnerable Products
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software with CFSoIP enabled:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
Administrators can display the distribution status of Cisco Fabric Services for a device by using the show cfs status command in the device CLI, as shown in the following example:
switch# show cfs status Distribution : Enabled Distribution over IP : Disabled IPv4 multicast address : 239.255.70.83 IPv6 multicast address : ff15::efff:4653 Distribution over Ethernet : Disabled
In the preceding example, the Enabled value in the Distribution field of the command output indicates that Cisco Fabric Services is enabled for the device and the device is configured to use the default Cisco Fabric Services distribution type, which is CFSoFC. The Disabled value in the Distribution over IP field and the Distribution over Ethernet field indicates that the device is not configured to use the CFSoIP and CFSoE distribution types.

For information about which Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- Nexus 1000V Switch for Microsoft Hyper-V
- Nexus 1000V Switch for VMware vSphere
- Nexus 1000 Virtual Edge for VMware vSphere
- Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
- UCS 6400 Series Fabric Interconnects

Details

Cisco Fabric Services provides a common infrastructure for distributing and synchronizing configuration data between Cisco devices that are on the same network and with virtual port channels (vPCs). This includes configuration data for applications and features that are compatible with and enabled to use Cisco Fabric Services—for example, Distributed Device Alias Services, Network Time Protocol (NTP), and user and administrator roles. To distribute and synchronize data, Cisco Fabric Services can be configured to use any of the following distribution types:

Cisco Fabric Services over Fiber Channel (CFSoFC)—Distributes data over a Fiber Channel (FC), such as a virtual storage area network (VSAN). CFSoFC distribution is enabled by default.

Cisco Fabric Services over Ethernet (CFSoE)—Distributes data over an Ethernet network. For vPC support, Cisco Fabric Services must be configured to use this distribution type. CFSoE distribution is disabled by default.

Cisco Fabric Services over IP (CFSoIP)—Distributes data over an IPv4 or IPv6 network. CFSoIP distribution is disabled by default.

Note: The vulnerability described in this advisory is due to insufficient input validation that could occur when the affected software processes CFSoIP TCP packets received during distribution and synchronization operations. An attack is possible from any node that has IP network connectivity to the management interface of an affected device and cannot occur from the data plane.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To help ensure a complete upgrade solution, customers should consider that this advisory is part of a bundled publication. The following page provides a complete list of bundle advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

In the following table(s), the left column lists releases of Cisco FXOS Software or Cisco NX-OS Software. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities.

MDS 9000 Series Multilayer Switches: CSCva64492

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
5.2	6.2(25)	6.2(29)¹
6.2	6.2(25)	6.2(29)¹
7.3	8.1(1)	8.4(1)
8.1	Not vulnerable	8.4(1)
8.2	Not vulnerable	8.4(1)
8.3	Not vulnerable	8.4(1)
8.4	Not vulnerable	Not vulnerable

1. This release is scheduled for September 2019.

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvj59058

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
Earlier than 7.0(3)I4	7.0(3)I4(9)	7.0(3)I4(9)
7.0(3)I4	7.0(3)I4(9)	7.0(3)I4(9)
7.0(3)I7	7.0(3)I7(4)	7.0(3)I7(6)
9.2	Not vulnerable	9.2(3)
9.3	Not vulnerable	Not vulnerable

Nexus 3500 Platform Switches: CSCvk70631

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
Earlier than 6.0(2)A8	6.0(2)A8(10)	6.0(2)A8(11)
6.0(2)A8	6.0(2)A8(10)	6.0(2)A8(11)
7.0(3)I7	7.0(3)I7(4)	7.0(3)I7(6)
9.2	Not vulnerable	9.2(3)
9.3	Not vulnerable	Not vulnerable

Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: CSCvk70625

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
7.0(3)	7.0(3)F3(3c)¹	9.2(3)
9.2	Not vulnerable	9.2(3)
9.3	Not vulnerable	Not vulnerable

¹This vulnerability is not fixed in 7.0(3)F3(4) but is fixed in 7.0(3)F3(5).

Nexus 5500, 5600, and 6000 Series Switches: CSCvk70632

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
Earlier than 7.1	7.1(5)N1(1b)	7.1(5)N1(1b)
7.1	7.1(5)N1(1b)	7.1(5)N1(1b)
7.3	7.3(4)N1(1)	7.3(5)N1(1)

Nexus 7000 and 7700 Series Switches: CSCva64492

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
Earlier than 6.2	6.2(22)	6.2(22)
6.2	6.2(22)	6.2(22)
7.2	7.3(3)D1(1)	7.3(4)D1(1)
7.3	7.3(3)D1(1)	7.3(4)D1(1)
8.0	Not vulnerable	8.2(3)
8.1	Not vulnerable	8.2(3)
8.2	Not vulnerable	8.2(3)
8.3	Not vulnerable	8.4(1)
8.4	Not vulnerable	Not vulnerable

UCS 6200 and 6300 Series Fabric Interconnects: CSCvk70633

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
Earlier than 3.2	3.2(3l)¹	No fix at this time
3.2	3.2(3l)¹	No fix at this time
4.0	4.0(2d)	No fix at this time

¹This release is scheduled for September 2019.

Additional Resources

For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.

Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches

For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory

ERP-72243

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos

Revision History

Version Description Section Status Date

1.0 Initial public release. — Final 2019-August-28

Show Less

Version	Description	Section	Status	Date
1.0	Initial public release.	—	Final	2019-August-28

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Related to This Advisory

ERP-72243

from Cisco Security Advisory https://ift.tt/2ZAwhRf

Cisco NX-OS Software NX-API Denial of Service Vulnerability

Medium

Advisory ID:

cisco-sa-20190828-nxos-api-dos

First Published:

2019 August 28 16:00 GMT

Version 1.0:

Final

Workarounds:

No workarounds available

Cisco Bug IDs:

CSCvn26502

CSCvn31273

CSCvn57900

CVE-2019-1968

CWE-20

CVSS Score:

Base 5.3

Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X

CVE-2019-1968

CWE-20

Download CVRF

Download PDF

Summary

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart.

The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP request to the NX-API on an affected device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition in the NX-API service; however, the NX-OS device itself would still be available and passing network traffic.

Note: The NX-API feature is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos

Affected Products

Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco NX-OS Software and had the NX-API feature enabled:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
For information about which Cisco NX-OS Software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

This vulnerability affects only Cisco NX-OS devices that have the NX-API feature enabled. The NX-API feature is disabled by default. To determine whether an affected device is configured with the NX-API feature enabled, administrators can use the show feature | include nxapi command from the Cisco NX-OS CLI and verify that the feature is enabled. The following example shows the NX-API feature enabled on a device that is running Cisco NX-OS Software:
nxos-switch# show feature | include nxapi nxapi 1 enabled
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- Nexus 1000 Virtual Edge for VMware vSphere
- Nexus 1000V Switch for Microsoft Hyper-V
- Nexus 1000V Switch for VMware vSphere
- Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects

Details

To exploit this vulnerability, a remote attacker must send a crafted HTTP or HTTPS packet to external NX-API.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Fixed Releases

At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability.

MDS 9000 Series Multilayer Switches: CSCvn26502

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
5.2	Not vulnerable
6.2	Not vulnerable
7.3	8.3(2)
8.1	8.3(2)
8.2	8.3(2)
8.3	8.3(2)
8.4	Not vulnerable

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvn31273

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
Earlier than 6.0(2)U4	Not vulnerable
6.0(2)U4, 6.0(2)U5, and 6.0(2)U6	7.0(3)I4(9)
6.1(2)I1	Not vulnerable
6.1(2)I2 and 6.1(2)I3	7.0(3)I4(9)
7.0(3)I4	7.0(3)I4(9)
7.0(3)I7	7.0(3)I7(6)
9.2	9.2(3)
9.3	Not vulnerable

Nexus 3500 Platform Switches: CSCvn31273

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
Earlier than 6.0(2)A	Not vulnerable
6.0(2)A8	6.0(2)A8(11a)
7.0(3)I7	7.0(3)I7(6)
9.2	9.2(3)
9.3	Not vulnerable

Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: CSCvn31273

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
7.0(3)F	9.2(3)
9.2	9.2(3)
9.3	Not vulnerable

Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches: CSCvn57900

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
Earlier than 7.1	Not vulnerable
7.1	7.3(5)N1(1)
7.2	7.3(5)N1(1)
7.3	7.3(5)N1(1)

Nexus 7000 and 7700 Series Switches: CSCvn26502

Cisco NX-OS Software Release	First Fixed Release for This Vulnerability
Earlier than 6.2	Not vulnerable
6.2	Not vulnerable
7.2	7.3(4)D1(1)
7.3	7.3(4)D1(1)
8.0	8.2(3)
8.1	8.2(3)
8.2	8.2(3)
8.3	8.3(2)
8.4	Not vulnerable

Additional Resources

Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches

For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos

Revision History

Version Description Section Status Date

1.0 Initial public release. — Final 2019-August-28

Show Less

Version	Description	Section	Status	Date
1.0	Initial public release.	—	Final	2019-August-28

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

from Cisco Security Advisory https://ift.tt/2ZsNbAZ

Saturday, August 31, 2019

Friday, August 30, 2019

Reset Your 'My Account' Password Now!

Thursday, August 29, 2019

Get Bounty to Find Data-Abusing Android & Chrome Apps

Bug Bounty On All Android Apps With 100 Million+ Downloads

The Malware Protection Test

The Real-World Protection Test

Beyond antivirus

The Big Picture

What’s next?

Additional reading

Wednesday, August 28, 2019

ceph vulnerability

Summary

Software Description

Details

Update instructions

References

ghostscript vulnerabilities

Summary

Software Description

Details

Update instructions

References

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Details

Workarounds

Fixed Software

Customers Without Service Contracts

Fixed Releases

Additional Resources

Exploitation and Public Announcements

Source

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Related to This Advisory

URL

Revision History

Legal Disclaimer

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Related to This Advisory

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Details

Workarounds

Fixed Software

Fixed Releases

Additional Resources

Exploitation and Public Announcements

Source

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

URL

Revision History

Legal Disclaimer

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications