Hackin9
McAfee ePolicy Orchestrator 'conditionXML' Parameter XML External Entity Injection Vulnerability
 
Oracle MySQL Server CVE-2015-0411 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2015-0374 Remote Security Vulnerability
 

Posted by InfoSec News on Jan 23

Forwarded from: Squirrel Herder Productions <squirrelherderproductions (at) gmail.com>

Carolina Advanced Digital, Inc. has opened the CFP for their 13th annual IT
HotTopics Conference and Golf Torney, at the stunning Grandover Resort and Spa,
in Greensboro, North Carolina, U.S.A.

Conference: May 6th & 7th

CFP: http://cfp.hottopicsconference.com

Registration:...
 

Posted by InfoSec News on Jan 23

http://www.csoonline.com/article/2874230/cybercrime-hacking/thousands-of-us-gas-stations-exposed-to-internet-attacks.html

By Lucian Constantin
IDG News Service
Jan 23, 2015

Over 5,000 devices used by gas stations in the U.S. to monitor their fuel
tank levels can be manipulated from the Internet by malicious attackers.

These devices, known as automated tank gauges (ATGs), are also used to
trigger alarms in case of problems with the tanks,...
 

Posted by InfoSec News on Jan 23

http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes

By Ben Rossi
Information Age
21 January 2015

Free Wi-Fi at a coffee shop or other public space is a welcome sign for
millions of people everyday who want to get some work done, make a video
call, or just catch up on a bit of online shopping.

However, as results of a new experiment today prove, public Wi-Fi is so
unsecure...
 

Posted by InfoSec News on Jan 23

http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/

By Mark Burnett
Ars Technica
Jan 22, 2015

I recently worked with SplashData to compile its 2014 Worst Passwords
List, and yes, 123456 tops the list. In the data set of 3.3 million
passwords I used for SplashData, almost 20,000 of those were in fact
123456. But how often do you genuinely see people using that, or the
second most...
 

Posted by InfoSec News on Jan 23

http://dealbook.nytimes.com/2015/01/22/in-davos-executives-express-worries-over-more-disruptive-cyberattacks

By DAVID GELLES
Dealbook
The New York Times
JANUARY 22, 2015

DAVOS, Switzerland – Executives from Target and Home Depot were not
present at the World Economic Forum, where world leaders and corporate
titans are rubbing shoulders and debating weighty issues.

Yet the names of those two companies are being invoked several times a day...
 

We have decided to change the Infocon 1to yellow in order to bring attention to the multiple recentAdobe Flash Player vulnerabilities2 that are being actively exploited. There have been 3 patchedvulnerabilities thathave an update and applying themis highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Outof Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infoconfrom now until Monday.

1-https://isc.sans.edu/infocon.html

2-https://isc.sans.edu/forums/diary/Flash+0Day+Deciphering+CVEs+and+Understanding+Patches/19223/

3-">Adrien de Beaupr">My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The software allows real-time experiment control for quantum information systems realized in trapped ions.NIST has partnered with the private sector to develop the next-generation open-source control software for quantum information ...
 
The National Institute of Standards and Technology (NIST) is seeking comments on a revised draft document that details the principles and processes it will follow to develop its cryptographic standards and guidelines. Comments will be ...
 
LinuxSecurity.com: elfutils could be made to overwrite files in the root directory if it receiveda specially crafted file.
 
LinuxSecurity.com: Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated jasper packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: A security issue was fixed in Samba.
 
LinuxSecurity.com: Several security issues were fixed in MySQL.
 
LinuxSecurity.com: Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

We would like to thank Richard Ackroyd of RandomStormfor reporting a critical input validation error in our site to us. As we have done before, here is how it happened so hopefully you can learn from it as well.

Lets start with a bit of background. Our site deals a lot with IPv4 addresses. Most of the time, we store IPv4 addresses as a string. I know this isnt the most efficient way, but well, that decision goes back to the beginning. To make sorting and indexing simpler, we pad IPv4 addresses with zeros, and you may have seen this on the site. 192.0.2.1 becomes 192.000.002.001.

Originally, I used a simple trick to validate IP addresses. I just converted the IP address to its long integer format, and then back to a string. This guarantees that you end up with a valid IP address. Later, we started using more of the standard FILTER functions in php to make some input validation easier, and modified the IPv4 validation function to use it. At the same time, to make the code a bit simpler,we also added an unpad function to fix up the IP address by removing extra 0s first.

Here is a quick view at the vulnerable code:

if  ( is_ipv4($sIPAddress) {   ... use $sIPAddress ...} else {   ... display error ...}function is_ipv4($sValue) {  if ( filter_var($sValue,FILTER_VALIDATE_IP,FILTER_FLAG_IPV4) ) {   }}function unpadip($sIP) {    $aIP=explode(.    if ( sizeof($aIP)    return sprintf(%d.%d.%d.%d}

So why is this wrong? The big problem is that I am modifying the value (unpad) before validating it, and then use the unmodified value, not the one I modified. At first, that doesnt look too bad in this case. But turns out that the unpad function does more then just remove extra 0s. Any other non-numeric character is removed. E.g. try:

printf(%d,123 this is an exploit

and you will get 123 back. That is part of the point of %d. The end result was that we validated a value that was cleansed by unpad, but then used the dirty value which still included the exploit code.

Our solution for now is twofold:

- add a bit more input validation to the unpad function, just in case we use it unsafely in other parts of the code
- remove the unpad from the is_ipv4 validation function.

The ultimate solution would be to change how we store IPv4 addresses and store them as long integer, which is much more efficient, but will take some time as we got a lot of code that needs to read/write from those tables. For IPv6 we use two 64 bit numbers (BIGINT in mysql) which works very well as it splits network and interface part.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version">yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Info-ZIP UnZip Out of Bounds Denial of Service Vulnerability
 
Samba CVE-2014-8143 Privilege Escalation Vulnerability
 
Fwd: REWTERZ-20140103 - ManageEngine ServiceDesk Plus User Privileges Management Vulnerability
 
REWTERZ-20140102 - ManageEngine ServiceDesk Plus User Enumeration Vulnerability
 
REWTERZ-20140101 - ManageEngine ServiceDesk SQL Injection Vulnerability
 
[HITB-Announce] #HITB2015AMS Call for Papers 1st Round is Closing in 10 Days
 

Optus, iiNet concerned at 'relaxed' NBN infosec rules
iT News
Optus and iiNet have voiced concerns that hard-fought rules on how Telstra handles confidential information it receives in the course of migrating users onto the NBN are about to be "relaxed". The concerns are raised in submissions to a Department of ...

 
Internet Storm Center Infocon Status