NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Recent Java exploits rapidly weaponizing in the wild
Description: Exploit code for a group of Java vulnerabilities patched in Oracle’s June 2013 patch release has been made public over the last two weeks by the PacketStorm bug bounty program, and exploit kit authors and other malicious actors have been quick to weaponize the code and begin using it in the wild. Noted exploit kit researcher Kaffeine has already confirmed the presence of one or both exploits in half a dozen distinct kits, a particularly rapid uptake rate for an already-patched set of bugs. As always, administrators are urged to ensure that all systems under their control are properly patched.
Reference:
http://packetstormsecurity.com/files/122865/
http://packetstormsecurity.com/files/122806/
http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html
Snort SID: 27621, 27622, 27672 – 27677, 27691 – 27694
ClamAV: Java.Exploit.CVE_2013_2465, Java.Exploit.CVE_2013_2459
Title: Denial of service in BIND in the wild
Description: A recently announced vulnerability in the popular BIND DNS service is being exploited in the wild, according to notes in the ISC vulnerability announcement included with their official patches. The issue, which can be exploited with a single packet, impacts the entire version 9 code base, and will hit default configurations there.
Administrators should patch immediately, or upgrade to BIND 10 if possible, as several versions of the BIND 9 code base are past end-of-life and will not be patched against this issue.
Reference:
https://kb.isc.org/article/AA-01015
Snort SID: 27666
ClamAV: N/A
Title: New attacks against security of TLS announced
Description: Researchers presenting at the 22nd annual USENIX security symposium last week announced a pair of partial plaintext recovery attacks against TLS. While the issues require rapidly repeated original plaintext in order to work, the researchers showed practical cases where necessary conditions would occur, though stopped short of providing any proof-of-concept code. Given this and related attacks discovered over the course of the last few years, such as the BEAST attack, developers of web applications secured by TLS should consider adding randomization to their plaintext messages as a proactive security measure against further attacks in this vein.
Reference:
https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_alfardan.pdf
Snort SID: N/A
ClamAV: N/A
============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Alice in Warningland: A large-scale field study of browser security warning effectiveness:
A study in bots: Bitbot:
http://cylance.com/techblog/A-Study-in-Bots-Bitbot.shtml
Vulnerabilities that just won’t die: compression bombs:
http://blog.cyberis.co.uk/2013/08/vulnerabilities-that-just-wont-die.html
Bypassing AirWatch root restriction:
https://www.netspi.com/blog/entryid/192/bypassing-airwatch-root-restriction
A closer look: Perkle Android malware kit:
http://krebsonsecurity.com/2013/08/a-closer-look-perkele-android-malware-kit/
Using patched QEMU and IDA pro to debug bootroms:
http://www.droid-developers.org/wiki/QEMU
So you think your domain controller is secure?
http://scripthappens.azurewebsites.net/?p=1
UXSS: Internet Explorer EUC-JP parsing bug:
http://insert-script.blogspot.co.at/2013/08/uxss-internet-explorer-euc-jp-parsing.html
Hacker posts Facebook bug report on Zuckerberg’s wall:
http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/#.UhA62dulSpE.twitter
Jekyll on iOS: when benign apps become evil:
https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_2.pdf
ByeBye shell and the targeting of Pakistan:
https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan
ZFS forensics – recovering files from a destroyed Zpool:
http://www.joyent.com/blog/zfs-forensics-recovering-files-from-a-destroyed-zpool
Mitigating the LdrHotPatchRoutine DEP/ASLR bypass with MS13-063:
Trust in computing survey, part 2: less than half of developers use a security development process:
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: Not Available
Title: Joomla! Unauthorised Uploads
Vendor: Joomla!
Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.
Affects Joomla! version 2.5.13 and earlier 2.5.x versions; and version
3.1.4 and earlier 3.x versions
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2465
Title: Java storeImageArray() Invalid Array Indexing Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image channel verification” in 2D.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1690
Title: Mozilla Firefox JavaScript Runtime Vulnerability
Vendor: Mozilla
Description: Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before
17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “insufficient access checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Deja un comentario