(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireshark 'dissectors/packet-packetbb.c' Denial of Service Vulnerability
 
Wecon Technologies LEVI Studio HMI Editor Multiple Security Vulnerabilities
 
Wireshark WBXML Dissector 'packet-wbxml.c' Infinite Loop Denial of Service Vulnerability
 
Drupal Legal Module Unspecified Security Vulnerability
 
Wireshark DOF Dissector 'packet-dof.c' Infinite Loop Denial of Service Vulnerability
 
Wireshark RPCoRDMA Dissector 'packet-rpcrdma.c' Infinite Loop Denial of Service Vulnerability
 
Wireshark 'dissectors/packet-imap.c' Denial of Service Vulnerability
 
Drupal @Base Module Unspecified Security Vulnerability
 
Wireshark NetScaler File Parser 'wiretap/netscaler.c' Infinite Loop Denial of Service Vulnerability
 
Wireshark WSP Dissector 'packet-wsp.c' Infinite Loop Denial of Service Vulnerability
 

Enlarge

We knew Microsoft was planning to block installation of Windows 7 and 8.1 updates on systems with Intel 7th Generation Core processors (more memorably known as Kaby Lake) and AMD Ryzen systems; we just weren't sure when. Now, the answer appears to be "this month." Users of new processors running old versions of Windows are reporting that their updates are being blocked. The block means that systems using these processors are no longer receiving security updates.

The new policy was announced in January of last year and revised slightly a couple of months later: Kaby Lake and Ryzen processors, and all new processors on an ongoing basis, would only be supported in Windows 10. Windows 7 and 8.1 would continue to support older processors, but their chip compatibility was frozen.

Awkwardly straddling the two policies are Intel's 6th Generation Core processors, aka Skylake. Some Skylake systems will continue to be supported in Windows 7 and 8.1. Others will not. Certain Skylake models shipped by 16 specific OEMs will continue to receive update support. But other Skylake systems will also need to upgrade to Windows 10 to receive ongoing updates.

Read 8 remaining paragraphs | Comments

 
Juniper NorthStar Controller Application CVE-2017-2331 Authentication Bypass Vulnerability
 
IBM Tivoli Application Dependency Discovery Manager CVE-2016-8925 Remote File Include Vulnerability
 
 
Juniper NorthStar Controller Application CVE-2017-2322 Local Denial of Service Vulnerability
 
D-Link DWR-116 CVE-2017-6190 Arbitrary File Download Vulnerabilitiy
 
Juniper Junos CVE-2017-2315 Denial of Service Vulnerability
 

Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389).

Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) should be put on the internet without at least putting a certificate on it. Then I clued in - many SIP implementations use unsecured LDAP for authentication, authorization and for a directory. Shodan lists 12,718 (as of today) sites with udp/389 open - and yes, many of them answer as SIP directories.

The reflection part of the attack is likely a directory list from the root, or even a tell me about yourself query against the root would work nicely (thatd be my attack approach anyway)

And apparently some subset of 12,718 sites can total up to a maximum (so far) of 24Gbps of reflected DDOS traffic - 3Gbps being the average seen to date. Akamai reports 7,629 sites were used, and they also report many more vulnerable sites than Shodan does.

Mitigation? The report offers a mix of dont do that as advice, with a Snort signature to kill the reflection attack. Unfortunately, the Snort signature needs to be applied at the vulnerable site - to which my question is what are the odds that an organization thats posted LDAP on udp/389 open to the internet has an instance of Snort running? As is the case in so many DDOS situations, the hosts that are the source of the problem never see the problem, theyre not the victims. So its unlikely that well see this fixed anytime soon.

The full Akamai report can be found here: https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
QEMU AMD PCnet Ethernet Emulation Heap Based Buffer Overflow Vulnerability
 
[SYSS-2017-009] agorum core Pro - Improper Restriction of XML External Entity Reference ('XXE')
 
[SYSS-2017-007] agorum core Pro - Cross-Site Scripting
 
[SYSS-2017-008] agorum core Pro - Cross-Site Request Forgery
 
[SYSS-2017-005] agorum core Pro - Persistent Cross-Site Scripting
 
[SYSS-2017-006] agorum core Pro - Insecure Direct Object Reference
 
Google Android Bouncy Castle CVE-2015-6644 Information Disclosure Vulnerability
 
X.Org libXfixes CVE-2016-7944 Integer Overflow Vulnerability
 
X.Org libXv CVE-2016-5407 Memory Corruption Vulnerability
 
X.Org libXrandr CVE-2016-7947 Multiple Integer Overflow Vulnerabilities
 
X.Org libXfixes CVE-2016-7945 Multiple Integer Overflow Vulnerabilities
 
Trend Micro Threat Discovery Appliance CVE-2016-7552 Directory Traversal Vulnerability
 
Palo Alto Networks PAN-OS CVE-2017-7217 Security Bypass Vulnerability
 
April 2017 - HipChat Server Advisory
 
DefenseCode Security Advisory: Magento 0day Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF)
 
CVE-2017-7456 Moxa MXview v2.8 Denial Of Service
 
Adobe Campaign CVE-2017-2989 Unspecified Security Bypass Vulnerability
 
Internet Storm Center Infocon Status