Category Archives: Security Focus

Security Focus

Ruby CVE-2017-17405 Multiple Command Execution Vulnerabilities


Ruby CVE-2017-17405 Multiple Command Execution Vulnerabilities

Bugtraq ID: 102204
Class: Input Validation Error
CVE:

CVE-2017-17405

Remote: Yes
Local: No
Published: Dec 14 2017 12:00AM
Updated: Dec 18 2017 03:13PM
Credit: Etienne Stalmans from the Heroku product security team.
Vulnerable:

Ruby-Lang Ruby 2.4.2
Ruby-Lang Ruby 2.4.1
Ruby-Lang Ruby 2.3.5
Ruby-Lang Ruby 2.3.4
Ruby-Lang Ruby 2.3
Ruby-Lang Ruby 2.2.8
Ruby-Lang Ruby 2.2.7
Ruby-Lang Ruby 2.4.0
Ruby-Lang Ruby 2.2.2
Redhat Subscription Asset Manager 1.0.0

Not Vulnerable:

Ruby-Lang Ruby 2.4.3
Ruby-Lang Ruby 2.3.6
Ruby-Lang Ruby 2.2.9

Multiple Cisco Products Multiple Information Disclosure Vulnerabilities


Multiple Cisco Products Multiple Information Disclosure Vulnerabilities

Bugtraq ID: 102170
Class: Design Error
CVE:

CVE-2017-17428
CVE-2017-12373

Remote: Yes
Local: No
Published: Dec 12 2017 12:00AM
Updated: Dec 17 2017 12:13AM
Credit: Hanno Böck, Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT.
Vulnerable:

Cisco ASA 5540 Series Adaptive Security Appliance 0
Cisco ASA 5520 Series Adaptive Security Appliance 0
Cisco ASA 5510 Series Adaptive Security Appliance 0
Cisco ASA 5505 Series Adaptive Security Appliance 0
Cisco ASA 5500-X Series Firewalls 9.1(7.16)
Cisco Adaptive Security Appliance (ASA) 5500-X Series 0
Cisco ACE30 Application Control Engine Module 0
Cisco ACE 4710 Application Control Engine 0
Cisco ACE 4700 Series Application Control Engine Appliances 3.0(0)A5(3.5)
Cisco ACE 4700 Series Application Control Engine Appliances 3.0(0)A5(3.0)
Cisco ACE 4700 Series Application Control Engine Appliances 3.0(0)A5(2.0)

Not Vulnerable:

Erlang/OTP CVE-2017-1000385 Information Disclosure Vulnerability


Erlang/OTP CVE-2017-1000385 Information Disclosure Vulnerability

Bugtraq ID: 102197
Class: Design Error
CVE:

CVE-2017-1000385

Remote: Yes
Local: No
Published: Dec 12 2017 12:00AM
Updated: Dec 17 2017 12:13AM
Credit: Hanno Böck, Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT.
Vulnerable:

Redhat OpenStack Platform 9.0
Redhat OpenStack Platform 12
Redhat OpenStack Platform 11
Redhat OpenStack Platform 10
Erlang Erlang/Otp 20.1.6
Erlang Erlang/Otp 19.3.6.3
Erlang Erlang/Otp 18.3.4.6

Not Vulnerable:

Erlang Erlang/Otp 20.1.7
Erlang Erlang/Otp 19.3.6.4
Erlang Erlang/Otp 18.3.4.7

SecurityFocus

1. ADVISORY SUMMARY

Kemp Load Balancers – Module Application Firewall Pack (AFP) – Web Application Firewall (WAF) does not inspect HTTP POST data

Risk: high

Application: Kemp Load Balancers – Module Application Firewall Pack (AFP)
Versions Affected: 7.1.30 (Nov 2015) to 7.2.40 (Oct 2017) // Older versions are probably affected too, but they were not checked
Vendor: KEMP Technologies
Vendor URL: https://kemptechnologies.com/

Sent to vendor: 16.10.2017
Vendor response: Acknowledge 17.10.2017, Fix in PreRelease 30.11.2017
Published fixed Release by vendor: 06.12.2017
Date of Public Advisory: 11.12.2017
Reference: Kemp Case #75046

Advisory URL: https://www.pallas.com/advisories/cve_2017_15524_kemp_afp_waf_bug_on_pos
t_data
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 1.0 (11.12.2017) – published

2. VULNERABILITY INFORMATION

Web Application Firewall does not inspect HTTP POST data

Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2017-15524
CVSS Base Score v2: 10 / 10
CVSS Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

3. VULNERABILITY DESCRIPTION

Kemp Load Balancer Module Application Firewall Pack (AFP) provides Web Application Firewall functionality.
In the tested versiona only web attacks at URL arguments were checked and were successful detected/blocked.
Attacks at arguments in the payload of HTTP POST Requests were NOT checked and were NOT detected/blocked.

Any attacks based on HTTP POST by using the Payload to transfer the attack vector will bypass the Web Applications Firewall of Kemp.

4. SOLUTIONS AND WORKAROUNDS

Update to Release 7.2.40.1 (Nov 2017)
No possible workaround before 7.2.40.1

5. AUTHOR

Tim Kretschmann (Pallas GmbH)

6. TECHNICAL DESCRIPTION / PROOF OF CONCEPT (PoC)

Settings WAF on KEMP Load Balancer inside Virtual Service of Virtal Host Area WAF Options

Web Application Firewall Enabled: On
Default Operation: Block Mode
Audit mode: Audit Relevant
Inspect HTML POST Request Content: On
– Disable JSON Parser: Off
– Disable XML Parser: Off
Process Responses: Off

Test-RuleSet:

SecRequestBodyAccess On

SecRule ARGS_POST:ptest attack123 “phase:2,id:8000,block,msg:’test 8000′,log,auditlog”
SecRule ARGS_POST:ptest attack123 “phase:2,id:8001,deny,msg:’test 8001′,log,auditlog”
SecRule ARGS_POST:ptest attack123 “phase:2,id:8002,drop,msg:’test 8002′,log,auditlog”
SecRule ARGS_POST:ptest attack123 “phase:1,id:8003,block,msg:’test 8003′,log,auditlog”
SecRule ARGS_POST:ptest attack123 “phase:1,id:8004,deny,msg:’test 8004′,log,auditlog”
SecRule ARGS_POST:ptest attack123 “phase:1,id:8005,drop,msg:’test 8005′,log,auditlog”

SecRule ARGS:ptest attack123 “phase:2,id:8010,block,msg:’test 8010′,log,auditlog”
SecRule ARGS:ptest attack123 “phase:2,id:8011,deny,msg:’test 8011′,log,auditlog”
SecRule ARGS:ptest attack123 “phase:2,id:8012,drop,msg:’test 8012′,log,auditlog”
SecRule ARGS:ptest attack123 “phase:1,id:8013,block,msg:’test 8013′,log,auditlog”
SecRule ARGS:ptest attack123 “phase:1,id:8014,deny,msg:’test 8014′,log,auditlog”
SecRule ARGS:ptest attack123 “phase:1,id:8015,drop,msg:’test 8015′,log,auditlog”

Proof-of-Concept:

pentest@testpc:~$ curl -X GET “http://www.website.tld/cms/login.xhtml?ptest=attack123”
403 ForbiddenAccess denied

–> Is blocked. Okay.

pentest@testpc:~$ curl -X POST “http://www.website.tld/cms/login.xhtml?ptest=attack123” -d “xx=1”
403 ForbiddenAccess denied

–> Is blocked. Okay.

pentest@testpc:~$ curl -X POST “http://www.website.tld/cms/login.xhtml” -H “Content-Type: application/x-www-form-urlencoded” -d “ptest=attack123” -s


? Content of website ?

!! –> No Block/Drop/Deny on POST Attacks !!

7. TIMELINE

16.10.2017 – Open Ticket at Kemp #75046
17.10.2017 – Kemp acknowledged the bug
30.11.2017 ? Kemp offered PreRelease 7.2.40.1.15841.RELEASE.20171129-1431-PATCH-64-MULTICORE to Pallas
06.12.2017 ? Kemp published Release 7.2.40.1 (see https://kemptechnologies.com/software-release-notes/ – PD-10249)
11.12.2017 ? Pallas published Advisory

8. ABOUT PALLAS GMBH

Pallas provides security consulting, pentesting, managed security services and hosting services with focus on security.
Adress: Pallas GmbH, Hermuelheimer Strasse 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960
Fax: 0049.2232.198629
Web: https://www.pallas.com/

[ reply ]

SecurityFocus

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

APPLE-SA-2017-12-13-7 Additional information for
APPLE-SA-2017-12-6-4 tvOS 11.2

tvOS 11.2 addresses the following:

IOSurface
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13861: Ian Beer of Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13862: Apple
CVE-2017-13876: Ian Beer of Google Project Zero
CVE-2017-13867: Ian Beer of Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2017-13833: Brandon Azad

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero

WebKit
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7156: an anonymous researcher
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: an anonymous researcher
CVE-2017-13866: an anonymous researcher
Entry added December 13, 2017

Wi-Fi
Available for: Apple TV (4th generation)
Released for Apple TV 4K in tvOS 11.1.
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA
multicast/GTK clients (Key Reinstallation Attacks – KRACK)
Description: A logic issue existed in the handling of state
transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
“Settings -> System -> Software Update -> Update Software.”

To check the current version of software, select
“Settings -> General -> About.”

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAloxpFopHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEYA7xAA
rS/mqu8UXd7eap0Doz7R4W40l1/OOcvI4Y19Krifw4WdfO9+xN9zHDaOrFzWmzSw
CQ55aclEgkk2CDGbuMmVtiKstFzZ2sBrRVygYx9wd1/u1eDpHINNglYVP0cMHeVl
RUbrgLgysOkNG9z/ExRK2XrJg7bhcK2grY8wBRaBmIgtfD3u53iNbG1kkEQOBDC3
wfFcO7lZjTQ6k7Sq6dHB7wv0iwwNZKP7JpQ55g70De1dUy8YSecirD4ox2IFYw3m
95EWslKrhRzbX76Pnbqv5Kc9aUEuY4FHR+MuaeAF3hZ5ilixsB2fKYn4eT23R8bu
H4yors9ROlKmt7ka96MnbRbPwtF9iSxam0TADQGhmoBdGz7w7C2EesZCNELrftuD
xW7pWcnPGKf/Lk3JCstlCWs/h3UK9XkbiGXyRlB9crY7O6xitmoHE6i/m7gJhrrS
W013CESh/N5TZu1KH2vjRABb6UqOOFFTSRXZewYrO3TAjFs+w2GUHsAzXoBgeZN5
7Txzx6PcHQkpqvXCPer31GzU19BAJOZHFXXRG+knd5iSoPJOWJ0Pnl+bhjV9hgDy
W+rW7nfLYV9cKxNjOAqFZ/zPPd8L5P5dxLY2+wdiIyXn3Oju0qaotZlAZIH5yfd7
fCipgGx+j/2bCuxoXDxHpeauC/sXVXnaqqYViroAnT8=
=ZFwH
—–END PGP SIGNATURE—–

[ reply ]

SecurityFocus

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

APPLE-SA-2017-12-13-5 Safari 11.0.2

Safari 11.0.2 addresses the following:

WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and
macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7156: an anonymous researcher
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: an anonymous researcher
CVE-2017-13866: an anonymous researcher

Installation note:

Safari 11.0.2 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAloxnVIpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEYhexAA
yUNa0rFxrFVaE7m+/Cjvd/Nj4oVvIWUgCD+UzyBsn8hrWNx2TqoK5rghN3AzEAzh
AOI8C4RMWqcrYfrTRtk0jP2xSB0vfYekNhtt8uyoJ3zh51uTFhlfv28PC+NbFXvb
9l/5A10L3eHQ8zjG5agwl0STJre2/sqyhH/JTlfXt/HAVO86BhvQjdeB2ZmxP2o1
qeLonOeuYCLE5j7tuPqpIUsBOzDdaCD2AmQHhSTsXDmVqTxIUgQuCPXumYnYRqhM
Enw52F5gcS6IUGDhD3Nq4LnnbgzioNj16WC/qRPx10amUn2UT16zyg9IaZ973VAa
8wrgPI954BMh6cUrXmyURycozFer2SD1j72n2ffsR2oao8UP2kHVmtYdGnkG/6GS
/0ehXzL8Rg7ygdDV8MPXd1JYOsMniNpYGBt0YtJTu71P9lHkmBbwmGrwZY0qUidG
kdIhTq0FytSLW10QyOHl6GwmR3UfzUwV8jlagj1n6aMvYLt/FyG0fpZ4x/PeiLwC
lc7K4NE9g28X5l/XFO7Bz1qHKlgbSzCiBAtAnYX7O1L96tqG5ezmODu2JteIh7vQ
RNsLN5beQ9q0dRMMpmJJ9EszTAhJYEuPjOY7eTj5xN8NRzy7urLwfnC7d/9LfJfc
dxfjhPhSSs+jrxQPt8htzE6CeLjixhIpKo4Xfg6dHys=
=i9jD
—–END PGP SIGNATURE—–

[ reply ]