nginx CVE-2016-4450 Denial of Service Vulnerability
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
WebKit CVE-2016-4677 Multiple Unspecified Memory Corruption Vulnerabilities
Apple iOS/tvOS/WatchOS Multiple Information Disclosure Vulnerabilities
Apple iOS/tvOS/macOS CVE-2016-7579 Information Disclosure Vulnerability
Apple macOS Prior to 10.12.1 Multiple Security Vulnerabilities
Apple Mac OS X and iOS CVE-2016-4635 Security Bypass Vulnerability

(credit: UCR Today)

There's a new method for rooting Android devices that's believed to work reliably on every version of the mobile operating system and a wide array of hardware. Individuals can use it to bypass limitations imposed by manufacturers or carriers, but it could also be snuck into apps for malicious purposes.

The technique comes courtesy of a Linux privilege-escalation bug that, as came to light last week, attackers are actively exploiting to hack Web servers and other machines. Dirty Cow, as some people are calling the vulnerability, was introduced into the core Linux kernel in 2007. It's extremely easy to exploit, making it one of the worst privilege-elevation flaws ever to hit the open-source OS.

Independent security researcher David Manouchehri told Ars that this proof-of-concept code that exploits Dirty Cow on Android gets devices close to root. With a few additional lines, Manouchehri's code provides persistent root access on all five of the Android devices he has tested.

Read 9 remaining paragraphs | Comments

ISC BIND CVE-2016-2775 Remote Denial of Service Vulnerability
ISC BIND CVE-2016-6170 Remote Denial of Service Vulnerability
ISC BIND CVE-2016-2088 Remote Denial of Service Vulnerability
APPLE-SA-2016-10-24-3 Safari 10.0.1
OpenSSL CVE-2016-8610 Denial of Service Vulnerability
Microsoft Windows NDISTAPI CVE-2011-1974 Local Privilege Escalation Vulnerability
KMail Multiple Security Vulnerabilities
JasPer CVE-2016-8886 Denial of Service Vulnerability
JasPer 'jp2_cod.c' Null Pointer Dereference Incomplete Fix Denial of Service Vulnerability
Multiple Siemens SICAM RTU Products CVE-2016-7987 Denial of Service Vulnerability
JasPer 'jp2_cod.c' Null Pointer Dereference Denial of Service Vulnerability

Since Friday, the Mirai botnet has become kind of a household name. I have been continuing to watch the botnet infect my test DVR over and over. A coupleof things I have seen over the weekend:

  • Overall port 23/2323 scanning activity seems to have gone down a bit. It looks like the countermeasures ISPs are taking show some limited success
  • At least some of the host names Mirai uses for CC no longer resolve.
  • However, the host my copy uses to pull down the actual malware, seems to be still active.
  • So far I have observed versions for ARM, MIPS, and PowerPC (which would work for some Cisco equipment). Mirai is going after other devices then DVRs, but given the hard coded xc3511 password, DVRs appear to be the richest source of vulnerable hosts.
  • SHA1 hashes for the different versions:
    8924926be722b5c50a16ed3c8a121dd81d229539 mirai.arm7
    8c56f28cbe59724a7e63ecc4273dd1f661da8b7a mirai.mips
    c0c18e56bbf4c514f34ed8f6204fbe1dba351efe mirai.ppc
  • We get a lot of requests from people asking how to identify infected devices. The simplest method is to look for devices that establish *a lot* of new outbound connections on port 23 and 2323. So just look for tcp[13]=2 and (port 23 or port 2323). They will stick out... look for dozens/hundreds of packets per second. But as a rule of thumb: if you know how to do this, chances are you are not vulnerable.

Prior articles about Mirai:

ISC Briefing: Large DDoS Attack Against Dyn(with PPT slides for you to use) DDoS Attack

The Short Life of a Vulnerable DVR Connected to the Internet(includes full packet capture of an infection)

The Internet of Evil Things: How to Detect and Secure Your Vulnerable Devices from the Mirai Botnet(Webcast)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3698-1] php5 security update
Atlassian Crowd CVE-2016-6496 LDAP Injection Vulnerability
Apache Struts CVE-2016-4438 Remote Code Execution Vulnerability
Apache Struts CVE-2016-3082 Remote Code Execution Vulnerability
Multiple Panda Security Multiple Products DLL Loading Local Code Execution Vulnerability
IBM Rational Quality Manager CVE-2016-0326 Remote Command Injection Vulnerability
IBM Security Guardium CVE-2016-0242 Information Disclosure Vulnerability
Cisco WebEx Meetings Player CVE-2016-1464 Remote Code Execution Vulnerability
Internet Storm Center Infocon Status