Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: ||read||)

For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open source project, was finally made public Thursday along with a patch.

As a result of the bug, "malicious PV guest administrators can escalate privilege so as to control the whole system," Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenet of virtualization. It comes five months after a similarly critical bug was disclosed in the Xen, KVM, and native QEMU virtual machine platforms.

"The above is a political way of stating the bug is a very critical one," researchers with Qubes OS, a desktop operating system that uses Xen to secure sensitive resources, wrote in an analysis published Thursday. "Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly."

Read 3 remaining paragraphs | Comments

 

For so long, USB keys have been a nice out-of-bandinfection vector. People like goodies and people like to plug those small pieces of plastic into their computers. Even if good solutions exists (like BitLocker- the standard solution provided by Microsoft), a lot of infrastructureare not protected against the use ofrogue USB keys for many good or obscure reasons.

There are also multiple reasons to receive USB keys: from partners, customers, contractors, vendors, etc. The best practice should be to scan any suspicious device against malicious documents but how to achieve this in a safe AND not boring way. If you propose atool thatis easy to use, you will increase your chances to have it adopted by more people!

The CIRCL (Computer Incident Response Center Luxembourg) is coming from a very small country but they are very active and renowned. They developed a tool to sanitize USB keys. Its so easy that even non-tech people can use it! The project is called CIRCLean. Its a piece of software that you install on an inexpensive Raspberry computer. You connect the suspicious device in the USB port A, a clean USB device in port B, power the box" />

What does it do? Multiple operations are performed on files, based on their MIME type. Example: Word files are converted to PDF then to HTML. Other files are renamed and prepended with a DANGEROUS_ prefix.Once sanitized (or non dangerous), files are copied to the destination USB key.The code is available on their github repository.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability
 
[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability
 
[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability
 
Cross-Site Request Forgery on Oxwall
 
CVE-2015-7723 - Privilege Escalation Via Symlink Attacks On POSIX Shared Memory With Insecure Permissions In AMD fglrx-driver
 
CVE-2015-7724 - Privilege Escalation Via Symlink Attacks On POSIX Shared Memory With Insecure Permissions In AMD fglrx-driver
 
[SECURITY] [DSA 3382-1] phpmyadmin security update
 
Internet Storm Center Infocon Status