Hackin9

In the security community, the deprecation of SSL has been hailed as a good thing by almost everyone. Not only has SSL been deprecated, its been deprecated with extreme prejudice, and with extreme rapidity. And not just in browsers (see Johanness story here https://isc.sans.edu/diary/19323 )

However, its become apparent in recent weeks that while most website administrators have caught up quickly to the new reality of TLS-Only encryption in browsers, many system administrators have been caught flat-footed.

Just in the last couple of weeks, Ive worked with system administrators who have had problems administering critical system infrastructure, infrastructure that uses SSL for its HTTPS connection, and does support TLS. While the vendors of this infrastructure will quickly point out that a firmware update to their gear will quickly solve this problem, these firmware updates have almost universally come late to the party - in a lot of cases they havent been available until fairly recently.

Admins are often caught off-guard, not realizing that theyre browser update has broken their infrastructure admin until something important happens, something that requires adding a SAN LUN, adding Fiber Channel Zones for that new pod of servers, or doing a remote power off / power on of a critical server using its remote console board.

Stuff that I have seen personally has included (Vendor names left out, sorry):

  • SAN Administration consoles from at least 3 vendors
  • Firewall and IPS admin consoles (yes, really)
  • Big Iron Unix remote admin board
  • Popular Server remote admin boards from several vendors

The catch-22 in this situation is that, looking at this list, all of these things are very tough to book intrusive administration for. Scheduling a firmware update for the admin console of your SAN for instance can be a very challenging task - IT Management is likely to use terms like Outage, Risk, often with the word Unacceptable in the same sentence. For things like your large Solaris or AIX Servers, Storage systems and so on, management is often much more comfortable NOT approving patches or updates, electing instead to isolate them to a secured vlan. .... Or worse yet, to not patch them and NOT isolate them.

(Mind you, the golden rules of pentesting include things like secured vlans arent and air gap networks are isolated, except for that one wire or one firewall rule ...)

What have you found that you couldnt admin because of SSL deprecation? Was an update available? And if so, did you kick yourself for not applying it 2 years ago, or was the paint still wet on the update? Have you applied an update to deal with this, and found that it broke something else?

Please, share on our comment form. And feel free to include vendor names - just because I cant doesnt limit you that way!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
redcarpet CVE-2015-5147 Stack Buffer Overflow Vulnerability
 
Novius OS 'tab' parameter Local File Include Vulnerability
 
Oracle Java SE CVE-2015-0470 Remote Security Vulnerability
 
[security bulletin] HPSBGN03352 rev.2 - HP Asset Manager Using RC4, Remote Disclosure of Information
 
[security bulletin] HPSBGN03354 rev.1 - HP Connect-IT Using RC4, Remote Disclosure of Information
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Researchers sifting through the confidential material stolen from spyware developer Hacking Team have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting Microsoft Windows and a hardened Linux module known as SELinux.

Hacking Team documentation accompanying the Flash exploit said it targeted "the most beautiful Flash bug for the last four years," according to a blog post published Wednesday by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people viewing content with Internet Explorer, and it's presumed it will work against other browsers as well.

"Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer," they wrote in a blog post published Tuesday. "Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued."

Read 4 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03361 rev.1 - HP UCMDB, HP UCMDB Configuration Manager, HP UCMDB Browser, and HP Universal Discovery running TLS, Remote Disclosure of Information
 
[security bulletin] HPSBMU03234 rev.1 - HP Vertica Analytics Platform running SSLv3, Remote Disclosure of Information
 
 
[SECURITY] [DSA 3303-1] cups-filters security update
 
 
LinuxSecurity.com: HAProxy could be made to expose sensitive information over the network.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: The system could be made to expose sensitive information to localapplications.
 
LinuxSecurity.com: The system could be made to expose sensitive information to localapplications.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated abrt packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: A vulnerability in libxml2 allows a remote attacker to cause Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in LibVNCServer, the worst of which could result in execution of arbitrary code or Denial of Service.
 

Posted by InfoSec News on Jul 07

http://www.nextgov.com/cybersecurity/2015/07/pentagon-contractors-ranked-below-retailers-and-banks-when-it-comes-cybersecurity/116899/

By Aliya Sternstein
Nextgov.com
July 5, 2015

After revelations that a compromised contractor login abetted a grandiose
breach of federal employees' background investigations, now comes word
that Defense Department suppliers score below hacked retailers when it
comes to cyber defense.

The new...
 

Posted by InfoSec News on Jul 07

http://www.v3.co.uk/v3-uk/news/2416111/fbi-puts-usd3m-bounty-on-head-of-gameover-zeus-malware-creator

By Dan Worth
V3.co.uk
02 July 2015

The FBI has offered a reward of $3m for information leading to the capture
of the infamous Gameover Zeus malware creator.

Evgeniy Mikhailovich Bogachev has been in the FBI’s sights since June last
year when he was accused of being one of the ringleaders behind the
notorious Gameover Zeus malware.

The...
 

Posted by InfoSec News on Jul 07

http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-most-private-moments-in-messy-detail/

By Dan Goodin
Ars Technica
July 6, 2015

Privacy and human rights advocates are having a field day picking through
a massive leak purporting to show spyware developer Hacking Team's most
candid moments, including documents that appear to contradict the
company's carefully scripted PR campaign.

"Imagine this: a leak...
 

Posted by InfoSec News on Jul 07

http://www.stltoday.com/sports/baseball/professional/cardinals-fire-scouting-director/article_b529088f-70c3-51c5-bab2-106afa1d2a12.html

By Robert Patrick, Derrick Goold
St. Louis Post Dispatch
July 3, 2015

ST. LOUIS -- The St. Louis Cardinals have terminated the contract of their
scouting director, Chris Correa, as investigations continue into alleged
hacking of a Houston Astros database.

A Cardinals’ lawyer, James G. Martin, confirmed the...
 

Posted by InfoSec News on Jul 07

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html

By Dave Foreman, ECS, Practice Director
Bob's Guide
July 6, 2015

Most of the technical support teams we work with know their Microsoft
Server operating system inside out and have hardly lifted their phone to
call Microsoft support in years. But this well-oiled machine is about...
 
[SECURITY] [DSA 3302-1] libwmf security update
 
Internet Storm Center Infocon Status