Hackin9
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Heap overflow in QEMU PCNET controller, allowing guest->host escape[XSA-135, CVE-2015-3209] (#1230537)GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]Potential unintended writes to host MSI message data field via qemu[XSA-128, CVE-2015-4103],PCI MSI mask bits inadvertently exposed to guests [XSA-129,CVE-2015-4104],Guest triggerable qemu MSI-X pass-through error messages [XSA-130,CVE-2015-4105],Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]
 
LinuxSecurity.com: Heap overflow in QEMU PCNET controller, allowing guest->host escape[XSA-135, CVE-2015-3209].GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163].vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164].
 
LinuxSecurity.com: stubs-32.h is back, so revert to previous behaviour.Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209].GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163].vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164].
 
LinuxSecurity.com: CVE-2015-0848 heap overflow when decoding BMP imagesCVE-2015-0848 heap overflow when decoding BMP images
 
LinuxSecurity.com: - implement public key pinning for NSS backend (#1195771)- fix lingering HTTP credentials in connection re-use (CVE-2015-3236)- prevent SMB from sending off unrelated memory contents (CVE-2015-3237)- curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)
 
LinuxSecurity.com: Multiple moderate and low impact security issues fixed.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Google has removed an extension from Chromium, the open source sibling to the Chrome browser, after accusations that the extension was installed surreptitiously and subsequently eavesdropped on Chromium users.

The issue first came to light in late May when a bug was filed in the Debian bug tracker. Chromium version 43 was seen downloading a binary extension from Google, and there was neither any ability to prevent this download, nor any source code available for the extension. The extension, called "Chrome Hotword," was found to be responsible for providing the browser's "OK, Google" functionality. Although off by default, both Chrome and Chromium, when set to use Google as their default search engine, can permanently listen to the microphone and respond instantly to voice queries, with "OK Google" used as the trigger keyword.

Concern about the nature and purpose of the extension was compounded by the way the browser did and didn't disclose the extension's existence. The list of extensions visible at chrome://extensions/ doesn't include Hotword. Conversely, Hotword's own status page, chrome://voicesearch/ said that by default the extension was enabled and had access to the microphone.

Read 10 remaining paragraphs | Comments

 

With the total number of people affected by the data breach at the Office of Personnel Management now estimated to be as many as 18 million, OPM Director Katherine Archuleta has mounted a public relations counter-attack, defending the agency's efforts to improve security during her tenure and crediting those efforts with finding the malware at the heart of the breach in the first place. But the news of the exposure has caused a wave of fear and distrust among federal employees—with some who work in the intelligence community now concerned for their families' safety.

Archuleta defended her tenure before a Senate hearing on June 23. "I'm as angry as you are that this is happening," she said in a message to federal employees and retirees during her testimony. "I am dedicated to ensuring that OPM does everything in its power to protect the federal workforce, and to ensure that our systems will have the best cyber security posture the government can provide.” And she insisted that no one at OPM was to blame for the breaches, saying, "If there is anyone to blame, it is the perpetrators."

Today, OPM e-mailed an eight-page document outlining OPM's "Actions to Strengthen Cybersecurity and Protect Critical IT Systems" to members of the media. In the document, OPM officials asserted, "Upon Director Archuleta’s arrival, OPM engaged in an end-to-end review of its IT systems and processes. Based on that review, the agency developed a Strategic Plan for Information Technology to guide its efforts to protect its legacy systems to the maximum extent possible as it replaced them with more modern and secure systems. This plan laid out a multi-phase strategy to bolster security through realignment of professional staff, adherence to relevant laws, policies and best practices, and investments in modern tools."

Read 15 remaining paragraphs | Comments

 
[SECURITY] [DSA 3295-1] cacti security update
 
CVE-2015-4464 Insufficient Authorization Checks Request Handling Remote Authentication Bypass for Kguard Digital Video Recorders
 

Powershell has gotten a lot of attention lately as a pentesters tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isnt dealing well with that yet (aside from ignoring powershell completely that is).

But what about day-to-day system administration? Really, the possibilities for admins are just as limitless as for pentesters - thats what Powershell was invented for after all !

A simple call like ">get-aduser -filter * -properties * can get you everything you want on domain user accounts. However, most sysadmins will look at this and give me the TLDR response - its just too much information to process effectively.

But how about filtering that- lets find all users who arent required to reset their passwords?

Or who dont have passwords at all?

How about have never reset their passwords (ie - haven">get-aduser -filter * -properties * | select samaccountname,passwordlastset

Operationally - lets add to the list - say folks whove had their accounts locked. This might be a reset password on Friday, cant remember on Monday symptom, but might also be someone brute forcing that account on the corporate website or VPN">get-aduser -filter * -properties * | select samaccountname,passwordlastset,lockedout

You can use the above to also find out whos left the organization. If youre like lots of IT groups, maybe HR isnt so timely in letting you know about departures! Lets dig to see who hasnt logged in in 4 weeks. 8 weeks? 12 weeks? Best call HR with this list in-hand to see if these folks are on longer term leave, or if they">get-aduser -filter * -properties * | select samaccountname,lastlogondate

At this point it becomes obvious that you want to sort these lists.">get-aduser -filter * -properties * | select samaccountname,passwordlastset | out-gridview

I find the CSV output, which can then be imported to excel - to be the most useful.">get-aduser -filter * -properties * | select samaccountname, name, enabled, scriptpath, passwordlastset, passwordexpired, passwordneverexpires, passwordnotrequired, lockedout, lastlogondate, cannotchangepassword, accountexiprationdate | export-csv c:\pathspec\account-problems-yy-mm-dd.csv

This imports directly into Excel (or any other spreadsheet), where you can slice and dice to your hearts content.

In closing, let me acknowledge Jason Fossen and SANS SEC 505 for re-kindling my enthusiasm for Powershell ! If you want to dig deeper into Powershell with a security slant, Ill be posting on this topic for a while, stay tuned. But if you want 6 days solid of concentrated powershell+windows goodness, take a look at SEC 505!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Yet again, Adobe has released a new patch to fix a critical vulnerability that "could potentially allow an attacker to take control of the affected system," according to the company.

Adobe acknowledged that the flaw (CVE-2015-3113) is "being actively exploited in the wild via limited, targeted attacks." Known affected systems run Internet Explorer for Windows 7 and below and Firefox on Windows XP, according to the patch details. Adobe says the following software can potentially be impacted:

  • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

The company recommends updating to the latest version of Flash to avoid the risk of exploitation, but at this point users should take a hard look at how necessary Flash is to their daily Internet use. In 2015 alone, we've seen Adobe issue multiple emergency Flash updates to patch critical vulnerabilities under active attack—including three such instances in the first five weeks of the year. The situation has gotten so grim that security reporter Brian Krebs recently experimented with a month without having the Flash Player installed at all. "The result? I hardly missed it at all," Krebs writes.

This newest flaw was uncovered through the help of FireEye security researchers. A Singapore-based FireEye team discovered the vulnerability in June by detecting a phishing campaign exploiting CVE-2015-3113. "The attackers’ e-mails included links to compromised Web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113," FireEye writes.

FireEye identified APT3, a China-based group also known as UPS, as responsible for these attacks (see more on the group in FireEye's report on Operation Clandestine Fox). APT3 has previously introduced other browser-based zero-day attacks against Internet Explorer and Firefox. FireEye notes APT3's tactics are difficult to monitor given there's little overlap between campaigns, and the group typically moves quickly ("After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors," the new report states). According to the security researchers, APT3 has implemented these phishing schemes against companies in aerospace and defense, engineering, telecommunications, and transportation this year.

FireEye's report on CVE-2015-3113 offers much greater detail than Adobe's patch notes. For instance, the typical phishing e-mails were spam-like offers for refurbished iMacs:

"Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.

Don't hesitate . . .>Go to Sale"

FireEye also broke down where unfortunate targets were directed after clicking such URLs—a compromised server hosting JavaScript profiling scripts. "Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file," FireEye reports. "This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system. The payload is obscured using xor encoding and appended to a valid GIF file."

Read on Ars Technica | Comments

 
CVE-2015-3443 XSS in Thycotic Secret Server version 8.6.000000 to 8.8.000004
 

Update: National Archives officials now report that the "indicators of compromise" found on three Archives systems were a false positive, and that no breach has occurred, contrary to a NextGov report yesterday. Laura Diachenko, a spokesperson for the National Archives, told Ars in an e-mail that there had been files that matched a fingerprint for the malware  had been detected on the Archives' network.

"The National Archives (NARA) detected two files on three individual workstations that matched some of the criteria that the Department of Homeland Security provided, in the wake of the Office of Personnel Management hack," Diachenko told Ars. "We took precaution by immediately reporting to US-CERT. US-CERT has deemed the files found on NARA's computers to be legitimate files and not associated with the OPM incident. NARA is partnering with DHS and US-CERT pro-actively to ensure that NARA systems are protected to the fullest extent possible."

The "indicators of compromise", or IOCs, shared by the Department of Homeland Security, had been fed into the National Archives' in-house vulnerability scanning tool. They triggered an alert. However, contrary to NextGov's report, those files were in fact found to be benign, and related to Internet Explorer.

Read 5 remaining paragraphs | Comments

 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated libreswan packages that fix one security issue, several bugs and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5. [More...]
 
[SECURITY] [DSA 3294-1] wireshark security update
 
Internet Storm Center Infocon Status