Return to Level1Techs.com

Security and Update Advisories

security

#1

Most of us who manage servers or are generally interested in cyber security are subscribed to various lists, feeds, etc. in an effort to stay up to date. Unfortunately those resources are often either disjointed, incomplete, or ridiculously verbose.

This thread is intended to be a curated list of vulnerabilities, updates and security advisories.

If you see an advisory that you think is relevant to this community, please post it here.

This thread is not intended to be for lengthy discussion. If you want to discuss at length, please link the post into a new topic.

Please provide citations.


General Resources

https://cve.mitre.org/

https://www.us-cert.gov/ncas/bulletins

https://twitter.com/cvenew?lang=en

Misc Resources

https://xenbits.xen.org/xsa/

If you have any others, post them below and Iā€™ll add them to the list.


#2

Samba vulnerability and updates coming next week:

Hi,

this is a heads-up that there will be Samba security updates on
Tuesday, August 14th (~ 8-11am UTC). Please make sure that your Samba
servers will be updated soon after the release!

Impacted components:

  • AD DC (CVSS 7.5, High)
  • client (CVSS 5.9, Medium)
  • file server / classic DC (CVSS 6.8 Medium)

https://lists.samba.org/mailman/listinfo/samba-announce


#3

Various VMware (from yesterday):

ESXi

2016-08-07 VMSA-2015-0007.7
Updated security advisory to add that patches for ESXi 6.0, 6.5 and 6.7
now address CVE-2015-5177.

Horizon

Advisory ID: VMSA-2018-0019
Severity: Important
Synopsis: Horizon 6, 7, and Horizon Client for Windows updates
address an out-of-bounds read vulnerability
Issue date: 2018-08-07
Updated on: 2018-08-07 (Initial Advisory)
CVE number: CVE-2018-6970

https://lists.vmware.com/mailman/listinfo/security-announce


#4

CVE-2018-14526

New attack on WPA/WPA2 using PMKID

Currently ongoing thread:
https://hashcat.net/forum/thread-7717.html

Unauthenticated EAPOL-Key decryption in wpa_supplicant

wpa_supplicant

http://seclists.org/oss-sec/2018/q3/84

Main details:
https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt

Paper
https://papers.mathyvanhoef.com/woot2018.pdf

Is going to affect everything under the sun thatā€™s got WiFi.

Possible mitigation steps

  • Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side.

  • Merge the patches to wpa_supplicant and rebuild:
    WPA: Ignore unauthenticated encrypted EAPOL-Key data

    This patch is available from https://w1.fi/security/2018-1/

  • Update to wpa_supplicant v2.7 or newer, once available

POC/Test Code


#5

A non-CVE advisory

200,000 MikroTik Routers infected With Crypto Malware injector

Original story

https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-ā€“-First-we-cryptojack-Brazil,-then-we-take-the-World-/

Advice:

  • Patch Mikrotik devices
  • Secure devices with new credentials
  • Tighten up firewalls
  • Monitor network traffic

#6

WhatsApp flaw allows others to modify group messages and usernames

In essence what this allows:

  1. Abuse the ā€˜quoteā€™ feature in a group chats to change the identity of the sender, even if that person is not a member of the group.
  2. Alter the text of someone elseā€™s reply.
  3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, itā€™s visible to everyone in the conversation.

If youā€™re one of those that manually updates Apps:

  • Update yo Apps!
  • Be wary of group message texts that suddenly change.

#7

Hardware backdoor found in a debug feature of ā€œVIA C3 Nehemiah chips made in 2003ā€.

Discussion here:

https://forum.level1techs.com/t/hacker-finds-hidden-god-mode-on-old-x86-cpus/


#8

Something to keep an eye on if you run pfSense or other exposed FreeBSD system.

https://nvd.nist.gov/vuln/detail/CVE-2018-6922


#9

Is this really a security advisory, if all you can do as an attacker is degrading performance?


#10

It sounds like you could effectively ddos the target without needing access to a huge amount of bandwidth (like a botnet). Itā€™s not critical, but I thought it was relevant because of how many people here run pfsense. If it was a Fedora issue or something, I probably wouldnā€™t post it.


#11

Addressed in versions 4.8.4, 4.7.9 and 4.6.16.

o CVE-2018-1139:
Vulnerability that allows authentication via NTLMv1 even if disabled.

o CVE-2018-1140:
Missing null pointer checks may crash the Samba AD DC, both over
DNS and LDAP.

o CVE-2018-10858:
A malicious server could return a directory entry that could corrupt
libsmbclient memory.

o CVE-2018-10918:
Missing null pointer checks may crash the Samba AD DC, over the
authenticated DRSUAPI RPC service.

o CVE-2018-10919:
Missing access control checks allow discovery of confidential attribute
values via authenticated LDAP search expressions.

https://lists.samba.org/mailman/listinfo/samba-announce


#12

New Intel Speculative Execution Vulnerability: Foreshadow

| CVE-2018-3615 | CVE-2018-3620 | CVE-2018-3646 |

Affected Processors

The following Intel-based platforms are potentially impacted by these issues. Intel may modify this list at a later time.

IntelĀ® Coreā„¢ i3 processor (45nm and 32nm)
IntelĀ® Coreā„¢ i5 processor (45nm and 32nm)
IntelĀ® Coreā„¢ i7 processor (45nm and 32nm)
IntelĀ® Coreā„¢ M processor family (45nm and 32nm)
2nd generation IntelĀ® Coreā„¢ processors
3rd generation IntelĀ® Coreā„¢ processors
4th generation IntelĀ® Coreā„¢ processors
5th generation IntelĀ® Coreā„¢ processors
6th generation IntelĀ® Coreā„¢ processors **
7th generation IntelĀ® Coreā„¢ processors **
8th generation IntelĀ® Coreā„¢ processors **
IntelĀ® Coreā„¢ X-series Processor Family for IntelĀ® X99 platforms
IntelĀ® Coreā„¢ X-series Processor Family for IntelĀ® X299 platforms
IntelĀ® XeonĀ® processor 3400 series
IntelĀ® XeonĀ® processor 3600 series
IntelĀ® XeonĀ® processor 5500 series
IntelĀ® XeonĀ® processor 5600 series
IntelĀ® XeonĀ® processor 6500 series
IntelĀ® XeonĀ® processor 7500 series
IntelĀ® XeonĀ® Processor E3 Family
IntelĀ® XeonĀ® Processor E3 v2 Family
IntelĀ® XeonĀ® Processor E3 v3 Family
IntelĀ® XeonĀ® Processor E3 v4 Family
IntelĀ® XeonĀ® Processor E3 v5 Family **
IntelĀ® XeonĀ® Processor E3 v6 Family **
IntelĀ® XeonĀ® Processor E5 Family
IntelĀ® XeonĀ® Processor E5 v2 Family
IntelĀ® XeonĀ® Processor E5 v3 Family
IntelĀ® XeonĀ® Processor E5 v4 Family
IntelĀ® XeonĀ® Processor E7 Family
IntelĀ® XeonĀ® Processor E7 v2 Family
IntelĀ® XeonĀ® Processor E7 v3 Family
IntelĀ® XeonĀ® Processor E7 v4 Family
IntelĀ® XeonĀ® Processor Scalable Family
IntelĀ® XeonĀ® Processor D (1500, 2100)
** indicates Intel microprocessors affected by CVE-2018-3615 - L1 Terminal Fault: SGX


Yeahhh 3 fresh intel security holes
#13

I really donā€™t see this as a vulnerability. Itā€™s just eliminating the need to de-auth someone who is connected and watching the 4 way handshake.

Youā€™d still need to use a wordlist, rainbowtables, or brute-force to find the key.

Mitigation is just using a strong password or using Radius


#14

Iā€™ll let @catsay address your concerns in detail, but as far as this thread goes, the posts donā€™t all need to be vulnerabilities. Any security-related advisories and update advisories that are relevant to the L1T community are fine.


#15

(Common Vulnerabilities and Exposures)
CVE-2018-14526

https://nvd.nist.gov/vuln/detail/CVE-2018-14526

Itā€™s most certainly a vulnerability of the WPA2 implementation.


#16

CVE-2018-14424

use-after-free of disposed transient displays

Impact


allows unprivileged user to trigger denial of service or remote code execution in Gnome GDM

Itā€™s been patched in git upstream.


#17

Official XEN L1 Terminal Fault Advisory XSA-273

https://xenbits.xen.org/xsa/advisory-273.html

Further prior issue as part of the recent XEN X86 security advisories

https://xenbits.xen.org/xsa/advisory-269.html

ISSUE DESCRIPTION


The DEBUGCTL MSR contains several debugging features, some of which virtualise
cleanly, but some do not. In particular, Branch Trace Store is not
virtualised by the processor, and software has to be careful to configure it
suitably not to lock up the core. As a result, it must only be available to
fully trusted guests.

Unfortunately, in the case that vPMU is disabled, all value checking was
skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes.

IMPACT


A malicious or buggy guest administrator can lock up the entire host, causing
a Denial of Service.

VULNERABLE SYSTEMS


Xen versions 4.6 and later are vulnerable.

Only systems using Intel CPUs are affected. ARM and AMD systems are
unaffected.

Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests
cannot exploit the vulnerability.


Running only x86 PV guests avoids the vulnerability.


#18

@oO.o and others

List of public Xen Security Advisories for future reference:

https://xenbits.xen.org/xsa/

Also Iā€™m skipping over a bunch of stuff from the recent Xen project advisories because itā€™s simply too much.


#19

Foreshadow might warrant itā€™s own thread beyond just announcing it here.

Iā€™ll add that to OP.


#20

BTRFS also found a cute bug that allows dead easy shell code injection. :smiley:

https://bugzilla.suse.com/show_bug.cgi?id=1102721

Mounting btrfs images with a label including shell injection characters could cause the cron jobs (running as root) to execute the included shellcode.

For example, bad image can be created with:

	`mkfs.btrfs --label "`/evil/command`' /dev/sdx