DSA-3869 tnef – security update

It was discovered that tnef, a tool used to unpack MIME attachments of
type “application/ms-tnef”, did not correctly validate its input. An
attacker could exploit this by tricking a user into opening a
malicious attachment, which would result in a denial-of-service by
application crash.

Read More

US Defense Contractor left Sensitive Files on Amazon Server Without Password

us-defense-contractor

Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation’s top intelligence contractor without a password, according to a new report.

UpGuard cyber risk analyst Chris Vickery discovered tens of thousands of documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.

The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country’s top defense contractors.

Although there wasn’t any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.

Master Credentials to a Highly-Protected Pentagon System were Exposed

Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo reports.

What’s more? The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.

The sensitive files have since been secured and were likely hidden from those who didn’t know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.

“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” Vickery says.

Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM).

Vickery is the one who, in 2015, reported a huge cache of more than 191 Million US voter records and details of nearly 13 Million MacKeeper users.

Both NGA and Booz Allen are Investigating the Blunder

The NGA is now investigating this security blunder.

“We immediately revoked the affected credentials when we first learned of the potential vulnerability,” the NGA said in a statement. “NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.”

However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.

“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesperson told Gizmodo. 

“We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Booz Allen Hamilton is the same consulting firm that employed whistleblower Edward Snowden when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once described as “the world’s most profitable spy organisation.”

Powered by WPeMatico

LDAP – Critical – Data Injection – SA-CONTRIB-2017-052

Description

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data.

If the site administrator chooses to hide the email or password from the user form (instead of showing or disabling it under “Authorization”), these values can be overwritten.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • LDAP 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Lightweight Directory Access Protocol (LDAP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LDAP module for Drupal 7.x-2.x, upgrade to LDAP-7.x-2.2

Also see the Lightweight Directory Access Protocol (LDAP) project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Read More

CVE-2017-4897

VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download a specially crafted RDP file through DaaS client by clicking on a malicious link.

Read More