CVE-2017-15708

CVE-2017-15708 : Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Syn

CVEdetails.com the ultimate security vulnerability data source

Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Synapse 3.0.0 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. To mitigate the issue upgrading to 3.0.1 version is required. In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability.

Publish Date : 2017-12-11 Last Update Date : 2017-12-29


CVSS Scores & Vulnerability Types

CVSS Score

7.5

Confidentiality Impact Partial
(There is considerable informational disclosure.)
Integrity Impact Partial
(Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact Partial
(There is reduced performance or interruptions in resource availability.)
Access Complexity Low
(Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required
(Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Execute Code
CWE ID 74


Products Affected By CVE-2017-15708


Number Of Affected Versions By Product


References For CVE-2017-15708


Metasploit Modules Related To CVE-2017-15708

CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE’s CVE web site.

CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE’s CWE web site.

OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE’s OVAL web site.

Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user’s risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.

LibTIFF CVE-2017-17942 Heap Based Buffer Overflow Vulnerability


LibTIFF CVE-2017-17942 Heap Based Buffer Overflow Vulnerability

Bugtraq ID: 102312
Class: Boundary Condition Error
CVE:

CVE-2017-17942

Remote: Yes
Local: No
Published: Dec 28 2017 12:00AM
Updated: Dec 28 2017 12:00AM
Credit: The vendor reported this issue.
Vulnerable:

Redhat Enterprise Linux 7
Redhat Enterprise Linux 6

+

Trustix Secure Enterprise Linux 2.0

+

Trustix Secure Linux 2.2

+

Trustix Secure Linux 2.1

+

Trustix Secure Linux 2.0

Redhat Enterprise Linux 5
LibTIFF LibTIFF 4.0.9

Not Vulnerable:

Wireshark ‘epan/wslua/wslua_file.c’ Denial of Service Vulnerability

Vulnerable:

Wireshark Wireshark 2.2.11
Wireshark Wireshark 2.2.10
Wireshark Wireshark 2.2.9
Wireshark Wireshark 2.2.8
Wireshark Wireshark 2.2.7
Wireshark Wireshark 2.2.6
Wireshark Wireshark 2.2.5
Wireshark Wireshark 2.2.4
Wireshark Wireshark 2.2.3
Wireshark Wireshark 2.2.2
Wireshark Wireshark 2.2.1
Wireshark Wireshark 2.2
Wireshark Wireshark 1.12.13
Wireshark Wireshark 1.12.12
Wireshark Wireshark 1.12.11
Wireshark Wireshark 1.12.10
Wireshark Wireshark 1.12.8
Wireshark Wireshark 1.12.7
Wireshark Wireshark 1.12.6
Wireshark Wireshark 1.12.3
Wireshark Wireshark 1.12.2
Wireshark Wireshark 1.12.1
Wireshark Wireshark 1.12
Wireshark Wireshark 1.10.14
Wireshark Wireshark 1.10.13
Wireshark Wireshark 1.10.12
Wireshark Wireshark 1.10.11
Wireshark Wireshark 1.10.10
Wireshark Wireshark 1.10.8
Wireshark Wireshark 1.10.7
Wireshark Wireshark 1.10.6
Wireshark Wireshark 1.10.5
Wireshark Wireshark 1.10.4
Wireshark Wireshark 1.10.3
Wireshark Wireshark 1.10.2
Wireshark Wireshark 1.10.1
Wireshark Wireshark 1.10
Wireshark Wireshark 1.8.13
Wireshark Wireshark 1.8.11
Wireshark Wireshark 1.8.10
Wireshark Wireshark 1.8.9
Wireshark Wireshark 1.8.7
Wireshark Wireshark 1.8.6
Wireshark Wireshark 1.8.5
Wireshark Wireshark 1.8.4
Wireshark Wireshark 1.5
Wireshark Wireshark 1.4.3
Wireshark Wireshark 1.2.18
Wireshark Wireshark 1.2.17
Wireshark Wireshark 1.2.16
Wireshark Wireshark 1.2.10
Wireshark Wireshark 1.2.9
Wireshark Wireshark 1.2.8
Wireshark Wireshark 1.2.7
Wireshark Wireshark 1.2.6
Wireshark Wireshark 1.2.5
Wireshark Wireshark 1.2.4
Wireshark Wireshark 1.2.3
Wireshark Wireshark 1.2.2
Wireshark Wireshark 1.2.1
Wireshark Wireshark 1.2
Wireshark Wireshark 1.0.15
Wireshark Wireshark 1.0.14
Wireshark Wireshark 1.0.13
Wireshark Wireshark 1.0.12
Wireshark Wireshark 1.0.11
Wireshark Wireshark 1.0.10
Wireshark Wireshark 1.0.9
Wireshark Wireshark 1.0.8
Wireshark Wireshark 1.0.7
Wireshark Wireshark 1.0.6
Wireshark Wireshark 1.0.5
Wireshark Wireshark 1.0.4
Wireshark Wireshark 1.0.3
Wireshark Wireshark 1.0.2
Wireshark Wireshark 1.0.1
Wireshark Wireshark 1.0
Wireshark Wireshark 0.99.8
Wireshark Wireshark 0.99.7
Wireshark Wireshark 0.99.6
Wireshark Wireshark 0.99.5
Wireshark Wireshark 0.99.4
Wireshark Wireshark 0.99.3
Wireshark Wireshark 0.99.2
Wireshark Wireshark 0.99.1
Wireshark Wireshark 0.99
Wireshark Wireshark 0.10.14
Wireshark Wireshark 0.10.13
Wireshark Wireshark 0.10.12
Wireshark Wireshark 0.10.11
Wireshark Wireshark 0.10.10
Wireshark Wireshark 0.10.9
Wireshark Wireshark 0.10.8
Wireshark Wireshark 0.10.7
Wireshark Wireshark 0.10.6
Wireshark Wireshark 0.10.4
Wireshark Wireshark 0.10.3
Wireshark Wireshark 0.10.2
Wireshark Wireshark 0.10.1
Wireshark Wireshark 0.10
Wireshark Wireshark 0.9.14
Wireshark Wireshark 0.9.10
Wireshark Wireshark 0.9.6
Wireshark Wireshark 0.9.5
Wireshark Wireshark 0.9.2
Wireshark Wireshark 0.8.20
Wireshark Wireshark 0.8.19
Wireshark Wireshark 0.8.16
Wireshark Wireshark 0.7.9
Wireshark Wireshark 0.6
Wireshark Wireshark 1.8.8
Wireshark Wireshark 1.8.3
Wireshark Wireshark 1.8.2
Wireshark Wireshark 1.8.1
Wireshark Wireshark 1.5.1
Wireshark Wireshark 1.4.0
Wireshark Wireshark 1.2.15
Wireshark Wireshark 1.2.14
Wireshark Wireshark 1.2.13
Wireshark Wireshark 1.2.12
Wireshark Wireshark 1.2.11
Wireshark Wireshark 1.12.9
Wireshark Wireshark 1.12.5
Wireshark Wireshark 1.12.4
Wireshark Wireshark 1.10.9
Wireshark Wireshark 1.10
Wireshark Wireshark 1.0.16
Wireshark Wireshark 0.99.6A
Wireshark Wireshark 0.99
Wireshark Wireshark 0.9.8
Wireshark Wireshark 0.9.7
Wireshark Wireshark 0.10
Redhat Enterprise Linux 7
Redhat Enterprise Linux 6

+

Trustix Secure Enterprise Linux 2.0

+

Trustix Secure Linux 2.2

+

Trustix Secure Linux 2.1

+

Trustix Secure Linux 2.0

Redhat Enterprise Linux 5

Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser

same-origin-policy-bypass

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.

Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version 5.4.02.3 and earlier.

The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other.

In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin.

The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in different tabs.

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” researchers from security firm Rapid7 explained.

“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”

Attackers can even snag a copy of your session cookie or hijack your session and read and write webmail on your behalf.

Mishra reported the vulnerability to Samsung, and the company replied that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.

Meanwhile, Mishra, with the help of Tod Beardsley and Jeffrey Martin from Rapid7 team, also released an exploit for Metasploit Framework.

Rapid7 researchers have also published a video demonstrating the attack.

Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.

Two Romanians Charged With Hacking Police CCTV Cameras Before Trump Inauguration

hacking-surveillance-camera

Remember how some cybercriminals shut down most of Washington D.C. police’s security cameras for four days ahead of President Donald Trump’s inauguration earlier this year?

Just a few days after the incident, British authorities arrested two people in the United Kingdom, identified as a British man and a Swedish woman, both 50-year-old, on request of U.S. officials.

But now US federal court affidavit has revealed that two Romanian nationals were behind the attack that hacked into 70% of the computers that control Washington DC Metropolitan Police Department’s surveillance camera network in January this year, CNN reports.

The two suspects—Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28—were arrested in Bucharest on December 15 on charges of conspiracy to commit wire fraud and various forms of computer fraud.

According to the criminal complaint unsealed in Washington, the pair hacked 123 of the Metropolitan Police Department’s 187 outdoor surveillance cameras used to monitor public areas in D.C. by infecting computers with ransomware in an effort to extort money.

Ransomware is an infamous piece of malicious software that has been known for locking up computer files and then demanding a ransom (usually in Bitcoins) to help victims unlock their files.

The cyber attack occurred just days before the inauguration of President Donald Trump and lasted for almost four days, eventually leaving the CCTV cameras out of recording anything between 12 and 15 January 2017.

Instead of fulfilling ransom demands, the DC police department took the storage devices offline, removed the infection and rebooted the systems across the city, ensuring that the surveillance camera system was secure and fully operational.

“This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,” the Justice Department said.

“The investigation revealed no evidence that any person’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras.”


The affidavit, dated December 11, mentions the defendants used two types of cryptocurrency ransomware variants—Cerber and Dharma. Other evidence also revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.

“According to the complaint, further investigation showed that the two defendants, Isvanca and Cismaru, participated in the ransomware scheme using the compromised MPD surveillance camera computers, among others,” the Justice Department said.

“The investigation also identified certain victims who had received the ransomware or whose servers had been accessed during the scheme.”

However, it is still unclear whether the pair arrested was solely behind the attack or were part of a more comprehensive cybercriminal network.

While Isvanca remains in custody in Romania, Cismaru is under house arrest pending further legal proceedings, according to the Justice Department.

If extradited and convicted, the Romanian defendants could face a maximum of 20 years in prison.

Daniel Lerch: “Steganography is a Tool of Great Interest to Cybercriminals”

Elliot Alderson hides secret information in audio CD files. However, the technique used by the fictional hacker protagonist of “Mr Robot” is far from being a TV whimsy. This is just one of the many steganography techniques used by hackers and cybercriminals to evade security systems.

From the Greek steganos (hidden) and graphos (writing), steganography is a method of hiding data. To analyze how to best handle this surreptitious threat, we spoke with Daniel Lerch, who has a PhD in Computer Science from the Universitat Oberta de Catalunya (UOC), and is one of the top steganography experts in Spain.

Panda Security: How would you define steganography? How is it different from cryptography?

Daniel Lerch: Steganography studies how to hide information in a carrier object (an image, an audio file, a text or a network protocol). While in cryptography the intention is that the message sent cannot be read by an attacker, in steganography the goal is to hide even the fact that any communication is taking place.

The two sciences are not mutually exclusive. In fact, steganography usually uses cryptography to encrypt the message before hiding it. But their objectives are different: not everyone who needs to protect information, also needs to hide it. So steganography would be an additional layer of security.

PS: Who would benefit more from steganography: cybercriminals or security providers?

Daniel Lerch

DL: Without a doubt, cybercriminals. Those responsible for the security of companies and institutions do not need to hide their communications. To keep them safe, cryptography is enough.

Steganography is a tool of great interest for different types of criminals, since it allows communication without being detected. Typical examples are communications between terrorist cells, the dissemination of illegal material, the extraction of business secrets, or their use as a tool to hide malware or the commands that remotely control the malware.

PS: How has this technique evolved in recent times?

DL: Depending on the medium by which steganography is applied, the evolution has been varied.

The medium that has evolved the most is steganography in images. They are so difficult to model statistically that it is very easy to make changes to them without anyone noticing. For example, the value of a pixel in a black and white image can be represented by a byte, that is, a number between 0 and 255. If that value is modified in a unit (hiding a bit) the human eye cannot perceive it. But the issue is that it’s not easy for statistical analysis of the image to detect this alteration either. Images are an excellent way of hiding data, such as video and audio.

Another medium that has received a lot of attention is steganography in network protocols. However, unlike what happens with the images, network protocols are well defined. If we change information in a package it is noticeable, so there is less wiggle room when it comes to hiding data. Although they may seem easy to detect from the outset, these techniques can be effective because of the difficulty of analyzing the large amount of traffic in existing networks.

One of the oldest media carriers, and one which has evolved least in the digital age, is the text. However, steganography in text could make a significant leap thanks to machine learning. In the techniques developed in recent years, the process of hiding information is tedious and requires the user’s manual input to generate a harmless text that makes sense and carries a hidden message. However, the current advances in deep learning applied to NLP allow us to generate more and more realistic texts, so it is possible that we will soon see steganography in text that is really difficult to detect.

PS: What applications does steganalysis have in the field of computer security? What techniques are usually used?

DL: From the point of view of business security, the main applications are the detection of malware that uses steganography to hide itself and the detection of malicious users trying to extract confidential information.

From the point of view of national security agencies, the main applications of steganalysis are the detection of terrorist or espionage communications.

Although most of the steganography tools that can be found on the Internet are unsophisticated and could be detected with simple and known attacks, there are no quality public tools that allow us to automate the process, detecting steganography in network protocols, in images, in video, audio, text, etc.

Maybe this is not possible yet. For example, in the field of steganography in images, the advanced techniques with which it is currently being investigated can hardly be detected using machine learning. If, in addition, the information is distributed among different media, significantly reducing the amount of information per carrier object, its detection with current technology becomes practically impossible.

PS: What role do you believe that steganography will play in the coming years? Will it be used more as an attack weapon, or a defense tool?

DL: Steganography as a defense tool would be unusual, although there are examples, such as the extraction of information by activists in a totalitarian country.

The main role of steganography in the next few years will be seen in its application as a tool to hide malware and to send control commands to the malware. This is already being done, although with fairly rudimentary techniques. The use of modern steganography techniques to hide malicious code will greatly hinder detection, forcing security tools to use advanced steganalysis techniques.

PS: What advice would you give to a computer security professional who is thinking of using steganalysis?

DL: He would probably be interested in detecting malware or exfiltrating data. The first thing is to keep good track of everything, to know what tools exist and when and how to use them. Then, it comes down to practice. Test and validate the technologies that we implement using a wealth of data.

If you use machine learning to perform steganalysis, you must be careful with what data you use to train the system. The model has to be able to predict data it has never seen. It would produce an error if, to validate the model, it were to use data that was used to train it. In machine learning, it is often said that a model is as good as the training data. So if our training data are not complete, the predictions that our model will make will not be reliable. The more data we use to train the model, the less likely it is that it will be incomplete. Otherwise, we run the risk of ending up developing tools that only work well in the laboratory, with our test data.

PS: What role will artificial intelligence and machine learning play in business cybersecurity strategies?

DL: An example would be the automatic detection of security flaws in the software. Also, replacing antivirus software that detects the signatures of known viruses with an artificial intelligence system that identifies viruses based on common characteristics and behavior.

PS: In an environment in where there are more and more connected devices, what security measures should be adopted to protect the privacy of data at the enterprise level?

DL: Security measures in IoT devices have to be the same as those applied to other devices connected to the same network. It may seem strange to have to manage the security of the office thermostat at the same level as a PC, but from the point of view of an attacker, this is as good a point of access to the network as any other.

The post Daniel Lerch: “Steganography is a Tool of Great Interest to Cybercriminals” appeared first on Panda Security Mediacenter.

Read More