Tag Archives: have

Remotely Exploitable Flaw Found In HP Enterprise Printers—Patch Now


Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.

The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, is due to insufficiently validating parts of Dynamic Link Libraries (DLL) that allows for the potential execution of arbitrary code remotely on affected 54 printer models.

The security flaw affects 54 printer models ranging from HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise and OfficeJet Enterprise printers.

This remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP’s MFP-586 printer (currently sold for $2,000) and HP LaserJet Enterprise M553 printers (sold for $500).

According to a technical write-up posted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the “.BDL” extension used in both HP Solutions and firmware updates.

“This (.BDL) is a proprietary binary format with no publicly available documentation,” researchers said. “We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of.”

Since HP has implemented the signature validation mechanism to prevent tampering with the system, the researchers failed to upload a malicious firmware to the affected printer.

However, after some testing researchers said that “it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer.”

The researchers were able to bypass digital signature validation mechanism for HP software “Solution” package and managed to add a malicious DLL payload and execute arbitrary code.

FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the proof-of-concept (PoC) malware payload that could be remotely installed on the printers.

The actions performed by their proof of concept malware are as follows:

  1. It downloads a file from http[://]nationalinsuranceprograms[.]com/blar
  2. Executes the command specified in the file on the printer
  3. Waits for 5 seconds
  4. Repeat

FoxGlove Security reported this remote code execution vulnerability to HP in August this year, and the vendor fixed the issue with the release of new firmware updates for its business and enterprise printers.

To download the new firmware update, visit the HP website in your web browser, and select Support from the top of the page and select Software & drivers. Now, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.

Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable


In past few months, several research groups have uncovered vulnerabilities in the Intel remote administration feature known as the Management Engine (ME) which could allow remote attackers to gain full control of a targeted computer.

Now, Intel has admitted that these security vulnerabilities could “potentially place impacted platforms at risk.”

The popular chipmaker released a security advisory on Monday admitting that its Management Engine (ME), remote server management tool Server Platform Services (SPS), and hardware authentication tool Trusted Execution Engine (TXE) are vulnerable to multiple severe security issues that place millions of devices at risk.

The most severe vulnerability (CVE-2017-5705) involves multiple buffer overflow issues in the operating system kernel for Intel ME Firmware that could allow attackers with local access to the vulnerable system to “load and execute code outside the visibility of the user and operating system.

The chipmaker has also described a high-severity security issue (CVE-2017-5708) involving multiple privilege escalation bugs in the operating system kernel for Intel ME Firmware that could allow an unauthorized process to access privileged content via an unspecified vector.

Systems using Intel Manageability Engine Firmware version 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x and 11.20.x.x are impacted by these vulnerabilities.

For those unaware, Intel-based chipsets come with ME enabled for local and remote system management, allowing IT administrators to remotely manage and repair PCs, workstations, and servers within their organization.

As long as the system is connected to a line power and a network cable, these remote functions can be performed out of band even when the computer is turned off as it operates independently of the operating system.

Since ME has full access to almost all data on the computer, including its system memory and network adapters, exploitation of the ME flaws to execute malicious code on it could allow for a complete compromise of the platform.

“Based on the items identified through the comprehensive security review, an attacker could gain unauthorised access to the platform, Intel ME feature, and third party secrets protected by the ME, Server Platform Service (SPS), or Trusted Execution Engine (TXE),” Intel said.

Besides running unauthorized code on computers, Intel has also listed some attack scenarios where a successful attacker could crash systems or make them unstable.

Another high-severity vulnerability involves a buffer overflow issue (CVE-2017-5711) in Active Management Technology (AMT) for the Intel ME Firmware that could allow attackers with remote Admin access to the system to execute malicious code with AMT execution privilege.

AMT for Intel ME Firmware versions 8.x, 9.x, 10.x, 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x and 11.20.x.x are impacted by this vulnerability.

The worst part is that it’s almost impossible to disable the ME feature to protect against possible exploitation of these vulnerabilities.

“The disappointing fact is that on modern computers, it is impossible to completely disable ME,” researchers from Positive Technologies noted in a detailed blog post published late August. “This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor.”

Other high severity vulnerabilities impact TXE version 3.0 and SPS version 4.0, leaving millions of computers with the feature at risk. These are described as:

High Severity Flaws in Server Platform Service (SPS)

  • CVE-2017-5706: This involves multiple buffer overflow issues in the operating system kernel for Intel SPS Firmware that could allow attackers with local access to the system to execute malicious code on it.
  • CVE-2017-5709: This involves multiple privilege escalation bugs in the operating system kernel in Intel SPS Firmware that could allow an unauthorized process to access privileged content via an unspecified vector.

Both the vulnerabilities impact Intel Server Platform Services Firmware 4.0.x.x.

High Severity Flaws in Intel Trusted Execution Engine (TXE)

  • CVE-2017-5707: This issue involves multiple buffer overflow flaws in the operating system kernel in Intel TXE Firmware that allow attackers with local access to the system to execute arbitrary code on it.
  • CVE-2017-5710: This involves multiple privilege escalation bugs in the operating system kernel in Intel TXE Firmware that allow an unauthorized process to access privileged content via an unspecified vector.

Both the vulnerabilities impact Intel Trusted Execution Engine Firmware 3.0.x.x.

Affected Intel Products

Below is the list of the processor chipsets which include the vulnerable firmware:

  • 6th, 7th and 8th Generation Intel Core processors
  • Xeon E3-1200 v5 and v6 processors
  • Xeon Scalable processors
  • Xeon W processors
  • Atom C3000 processors
  • Apollo Lake Atom E3900 series
  • Apollo Lake Pentiums
  • Celeron N and J series processors

Intel has issued patches across a dozen generations of CPUs to address these security vulnerabilities that affect millions of PCs, servers, and the internet of things devices, and is urging affected customers to update their firmware as soon as possible.

The chipmaker has also published a Detection Tool to help Windows and Linux administrators check if their systems are exposed to any threat.

The company thanked Mark Ermolov and Maxim Goryachy from Positive Technologies Research for discovering CVE-2017-5705 and bringing it to its attention, which forced the chipmaker to review its source code for vulnerabilities.

Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts

Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details.

Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.

However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.

Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.

Besides this, the new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.

Usually, Terdot targeted banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.

This Trojan Can Steal Your Facebook, Twitter and Gmail accounts

However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google’s Gmail, Microsoft’s live.com, and Yahoo Mail.

Interestingly, the malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.

The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.

If clicked, it executes obfuscated JavaScript code that downloads and runs the malware file. In order to evade detection, the Trojan uses a complex chain of droppers, injections, and downloaders that allow the download of Terdot in pieces.

Once infected, the Trojan injects itself into the browser process to direct connections to its own Web proxy, read traffic and inject spyware. It can also steal authentication info by inspecting the victim’s requests or injecting spyware Javascript code in the responses.

Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.

Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.

“Terdot is a complex malware, building upon the legacy of Zeus,” Bitdefender concluded. “Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean.”

Bitdefender has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a technical paper (PDF) published by the security firm.

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit


Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it.

Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or memory corruption.

DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.

The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.

Soon after the details of DDE attack went public, several reports emerged about various widespread attack campaigns abusing this technique in the wild to target several organisations with malware.

Now, for the first time, this DDE attack technique has been found leveraging by an Advanced Persistent Threat (APT) hacking group—APT28, which is well known as Fancy Bear and is widely believed to be backed by the Russian government.

Russian Hackers Using New York Terror Attack to Lure Victims

While analyzing a new spear phishing campaign, security researchers discovered that the Fancy Bear hackers have been leveraging the DDE vulnerability since late October, according to a recent report published Tuesday by McAfee researchers.

The campaign involved documents referencing the recent terrorist attack in New York City in an attempt to trick victims into clicking on the malicious documents, which eventually infects their systems with malware.

Since DDE is a Microsoft’s legitimate feature, most antivirus solutions don’t flag any warning or block the documents with DDE fields.

Therefore, anyone who clicks on the malicious attachment (with names like SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her computer without any restriction or detection.

Once opened, the document runs contacts a command-and-control server to install the first stage of the malware called Seduploader on victims’ machines using PowerShell commands.

Seduploader then profiles prospective victims by pulling basic host information from the infected system to the hackers. If the system is of interest, the attackers later install a more fully featured piece of spyware—X-Agent and Sedreco.

“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections but can also rapidly incorporate new exploitation techniques to increase its success,” Mcafee researchers concluded. 

“Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses.”

This is not first malware campaign that has been spotted abusing the DDE attack technique.

Soon after the details of DDE attack technique went public, Cisco’s Talos threat research group uncovered an attack campaign that was actively exploiting this attack technique to target several organisations with a fileless remote access trojan called DNSMessenger.

Late last month, researchers discovered a campaign that spread Locky ransomware and TrickBot banking trojan via Word documents that leveraged the DDE technique.

Another separate malware spam campaign discovered by security researchers also found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.

Protection Against DDE Malware Attacks

Since Microsoft does not provide any protection against such attacks, you can easily prevent yourself from falling victim to any malicious document abusing the Microsoft’s DDE feature by disabling it entirely.

If you use Microsoft Word 2016 or Microsoft Excel 2016, go to Options → Advanced, and then remove the checkmark from “Update automatic links at open” which is listed under the general group on the page.

In MS Excel, you can also consider checking “Ignore other applications that use Dynamic Data Exchange (DDE).


Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the “update links” as well as “embedded files” functionality in MS Office documents when run.

You can detect Office documents abusing the DDE feature via a set of YARA rules in Office Open XML files published by the researchers at NVISO Labs.

However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source.

IEEE P1735 Encryption Is Broken—Flaws Allow Intellectual Property Theft


Researchers have uncovered several major weaknesses in the implementation of the Institute of Electrical and Electronics Engineers (IEEE) P1735 cryptography standard that can be exploited to unlock, modify or steal encrypted system-on-chip blueprints.

The IEEE P1735 scheme was designed to encrypt electronic-design intellectual property (IP) in the hardware and software so that chip designers can protect their IPs from hackers and other prying eyes.

Majority of mobile and embedded devices include a System-on-Chip (SoC), a single integrated circuit that can consist of multiple IPs—a collection of reusable design specifications—like a radio-frequency receiver, an analogue-to-digital converter, a digital signal processing unit, a graphics processing unit, a cryptographic engine, from different vendors.

Therefore, these licensed IPs are quite valuable to their vendors, so to protect them from being reverse engineered after being sold, the IEEE developed the P1735 standard to encrypts electronic-design IP.

However, an alert published Friday by the Department of Homeland Security’s US-CERT warned that the IEEE P1735 standard is flawed.

“In the most egregious cases, [these mistakes] enable attack vectors [like padding-oracle attacks] that allow recovery of the entire underlying plaintext IP,” US-CERT warned.

“Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.”

The US-CERT warning came after a recent academic paper [PDF], titled “Standardizing Bad Cryptographic Practice,” released by a team of researchers from University of Florida discovered and reported a total of seven vulnerabilities in the IEEE P1735 standard.


Here’s the list of all vulnerabilities in P1735 standard with their assigned CVE IDs:

  • CVE-2017-13091: Improperly specified padding in the standard’s use of AES-CBC mode allows the use of an Electronic Design Automation (EDA) tool as a decryption oracle.
  • CVE-2017-13092: Improperly specified HDL (hardware description language) syntax allows the use of an EDA tool as a decryption oracle.
  • CVE-2017-13093: Modification of encrypted intellectual property (IP) cyphertexts to include hardware Trojans.
  • CVE-2017-13094: Modification of the encryption key and insertion of hardware trojans in any IP without knowledge of the key.
  • CVE-2017-13095: Modification of a license-deny response to a license grant or vice versa.
  • CVE-2017-13096: Modification of Rights Block, which contains the RSA-encryption of an AES key, to get rid of or relax access control.
  • CVE-2017-13097: Modification of Rights Block to get rid of or relax license requirement.

The main vulnerability (CVE-2017-13091) resides in the IEEE P1735 standard’s use of AES-CBC mode.

Since the standard makes no recommendation for any specific padding scheme, the developers often choose the wrong scheme, making it possible for attackers to use a well-known classic padding-oracle attack (POA) technique to decrypt the system-on-chip blueprints without knowledge of the key.

“While the confidentiality attacks can reveal the entire plaintext IP, the integrity attack enables an attacker to insert hardware trojans into the encrypted IP,” the researchers concluded.

“This not only destroys any protection that the standard was supposed to provide but also increases the risk premium of the IP.”

The researchers also proposed various optimisations of the basic confidentiality attacks that can reduce the complexity.

Vendors using the IEEE P1735 scheme in an insecure manner have already been alerted by US-CERT. The vendors contacted by the US-CERT include AMD, Intel, Qualcomm, Cisco, IBM, Samsung, Synopsys, Mentor Graphics, Marvell, NXP, Cadence Design Systems, Xilinx and Zuken.

All of the above vendors are believed to be at a potential risk of these vulnerabilities, but so far it is not confirmed.

The researchers have suggested quick fixes which EDA software developers can apply to address the issues. Users are recommended to wait for an update from their EDA software vendors and apply as it becomes available.

Warning: Critical Tor Browser Vulnerability Leaks Users’ Real IP Address—Update Now


If you follow us on Twitter, you must be aware that since yesterday we have been warning Mac and Linux users of the Tor anonymity browser about a critical vulnerability that could leak their real IP addresses to potential attackers when they visit certain types of web pages.

Discovered by Italian security researcher Filippo Cavallarin, the vulnerability resides in FireFox that eventually also affects Tor Browser, since the privacy-aware service that allows users to surf the web anonymously uses FireFox at its core.

Dubbed by the researcher as TorMoil, the vulnerability affects Tor browser for macOS and Linux and not for Windows, but keeping in mind the security and privacy of Tor users, details about this flaw has not been yet publicly revealed.

Cavallarin, CEO of the security firm We Are Segment, privately reported the security vulnerability to Tor developers on Thursday (October 26), and the Tor developers have rolled out an emergency update Tor version 7.0.8.

According to a short blog post published Tuesday by We Are Segment, the TorMoil vulnerability is due to a Firefox issue in “handling file:// URLs.”

TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common https:// and http:// addresses.

“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address,” the blog post reads.

“Once an affected user [running macOS or Linux system] navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”

The Tor Project has currently issued a temporary workaround to prevent the real IP leakage.

So, macOS and Linux users may found the updated versions of the Tor anonymity browser not behaving properly while navigating to file:// addresses, until a permanent patch becomes available.

“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken,” the Tor Project said in a blog post published Friday.

“Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”

According to the Tor Project, users of both the Windows versions of Tor, Tails and the sandboxed-tor-browser that’s in alpha testing are not affected.

The Tor Project also said there’s no evidence the TorMoil vulnerability has been actively exploited by hackers to obtain the IP addresses of Tor users.

However, lack of evidence does not prove the bug was not exploited by nation-state attackers and skilled hackers, given the high-demand of Tor zero-day exploit in the market, where Zerodium is ready to pay anyone $1 Million for its exploit.

In an attempt to keep its users’ privacy protected, the Tor Project has recently announced the release of Tor that includes support for the next generation onion services, with the integration of new cutting-edge encryption and improvement of overall authentication into its web service.

‘LeakTheAnalyst’ Hacker Who Claimed to Have Hacked FireEye Arrested


Remember the hacker who claimed to have breached FireEye late July this year?

That alleged hacker has been arrested and taken into custody Thursday by international law enforcement, FireEye CEO Kevin Mandia informed the media.

Late July, the hacker, whose name has not yet been disclosed, managed to hack the personal online accounts of a ‎Senior Threat Intelligence Analyst at Mandiant—a Virginia-based cybersecurity firm owned by the FireEye—and leaked nearly 32 megabytes of data belonging to Peretz.

At that time, the hacker claimed that he had started #LeakTheAnalyst operation that aimed at doxing the security analysts who hunt hackers. The hacker also claimed to have had complete access to the company’s internal networks since 2016.

“Let’s trash their reputation in the field,” the hacker said. “It was fun to be inside a giant company named “Mandiant” we enjoyed watching how they try to protect their clients and how their dumb analysts are trying to reverse engineer malware and stuff.”

“This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future.”

Later in August, FireEye announced that it found no evidence the company’s corporate network were compromised, saying the attacker merely managed to compromise social media accounts of just one of its employees.

The attacker did so by re-using credentials for the employee’s social media and email accounts that were previously exposed in publicly-disclosed third-party data breach.

FireEye CEO announced the hacker’s arrest at the company’s Q3 Earnings Results Conference Call on Wednesday.

“These attackers rarely, if ever get caught…Over my career, I have found it frustrating how little risk or repercussions exist for the attackers, who hide behind the anonymity of the internet to cause harm to good, well-intentioned people,” Mandia said.

“Therefore, I am pleased that, in this case, we were able to impose repercussions for the attacker and achieve a small victory for the good guys.”

Mandia also told CRN that FireEye had to spend a “tremendous” amount of its time and effort into investigating the hacker’s July claims, which costs the company a lot, both in efforts and money.

So far, neither the law enforcement officials nor FireEye have reveal the real name of the hacker and the location from where he was arrested.

Kaspersky Opens Antivirus Source Code for Independent Review to Rebuild Trust


Kaspersky Lab — We have nothing to hide!

Russia-based Antivirus firm hits back with what it calls a “comprehensive transparency initiative,” to allow independent third-party review of its source code and internal processes to win back the trust of customers and infosec community.

Kaspersky launches this initiative days after it was accused of helping, knowingly or unknowingly, Russian government hackers to steal classified material from a computer belonging to an NSA contractor.

Earlier this month another story published by the New York Times claimed that Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky.

US officials have long been suspicious that Kaspersky antivirus firm may have ties to Russian intelligence agencies.

Back in July, the company offered to turn over the source code for the U.S. government to audit.

However, the offer did not stop U.S. Department of Homeland Security (DHS) from banning and removing Kaspersky software from all of the government computers.

In a blog post today the company published a four-point plan:

  • Kaspersky will submit its source code for independent review by internationally recognised authorities, starting in Q1 2018.
  • Kaspersky also announced an independent review of its business practices to assure the integrity of its solutions and internal processes.
  • Kaspersky will establish three transparency centres in next three years, “enabling clients, government bodies & concerned organisations to review source code, update code and threat detection rules.”
  • Kaspersky will pay up to $100,000 in bug bounty rewards for finding and reporting vulnerabilities in its products.

“With these actions, we will be able to overcome mistrust and support our commitment to protecting people in any country on our planet.” Kaspersky’s CEO Eugene said.

However, infosec experts’ twitter commentary shows that the damage has already been done.

“Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky’s data lake which is a treasure trove of data. Even open sourcing the entire product won’t reveal or even help with revealing that.” Amit Serper, the security researcher at Cybereason, tweeted.

Now it is important to see whether these actions will be enough to restore the confidence of US government agencies in Kaspersky or the company will be forced to move its base out of Russia.

Yet Another Linux Kernel Privilege-Escalation Bug Discovered

Security researchers have discovered a new privilege-escalation vulnerability in Linux kernel that could allow a local attacker to execute code on the affected systems with elevated privileges.

Discovered by Venustech ADLab (Active-Defense Lab) researchers, the Linux kernel vulnerability (CVE-2017-15265) is due to a use-after-free memory error in the Advanced Linux Sound Architecture (ALSA) sequencer interface of the affected application.

The Advanced Linux Sound Architecture (ALSA) provides audio and MIDI functionality to the Linux operating system, and also bundles a userspace driven library for application developers, enabling direct (kernel) interaction with sound devices through ALSA libraries.

Successful exploitation of this vulnerability requires an attacker—with local access on the targeted system—to execute a maliciously crafted application on a targeted system, which allows the attacker to elevate his privilege to root on the targeted system, a Cisco advisory warned.

The vulnerability affects major distributions of the Linux operating system including RedHat, Debian, Ubuntu, and Suse, and is triggered by a slip in snd_seq_create_port().

This “snd_seq_create_port() creates a port object and returns its pointer, but it doesn’t take the refcount, thus it can be deleted immediately by another thread,” the researchers wrote in an advisory published Wednesday. 

“Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free.”

The vulnerability has been patched in Linux kernel version 4.13.4-2, which was fixed just by taking the refcount properly at “snd_seq_create_port()” and letting the caller unref the object after use.

Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distro. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.

This flaw is yet another privilege escalation vulnerability recently uncovered in the Linux kernel.

Last month, a high-risk 2-year-old potential local privilege escalation flaw was patched in the Linux kernel that affected all major Linux distributions, including Red Hat, Debian, and CentOS.

In February, another privilege-escalation vulnerability that dates back to 2011 disclosed and patched in the Linux kernel which also affected major Linux distro, including Redhat, Debian, OpenSUSE, and Ubuntu.

Powered by WPeMatico

Warning: Millions Of P0rnHub Users Hit With Malvertising Attack


Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.

Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.

The KovCoreG hacking group initially took advantage of P0rnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.

According to the Proofpoint researchers, the infections in this campaign first appeared on P0rnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems.

Among other malicious things, the Kovter malware is known for its unique persistence mechanism, allowing the malware to load itself after every reboot of the infected host.

The Traffic Junky advertising network redirected users to a malicious website, where Chrome and Firefox users were shown a fake browser update window, while Internet Explorer and Edge users got a fake Flash update.


“The [infection] chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network,” Proofpoint writes.

The attackers used a number of filters and fingerprinting of “the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour,” in an effort to target users and evade analysis.

Researchers said Chrome users were infected with a JavaScript which beaconed back to the server controlled by the attackers, preventing security analysts working through the infection chain if their IP had not “checked in.”

This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment,” Proofpoint writes. “This is most likely why this component of the chain has not been documented previously.

In this case, the attackers limited their campaign to click fraud to generate illicit revenue, but Proofpoint researchers believed the malware could easily be modified to spread ransomware, information stealing Trojans or any other malware.

Both P0rnHub and Traffic Junky, according to the researchers, “acted swiftly to remediate this threat upon notification.

Although this particular infection chain was successfully shut down after the site operator and ad network got notified, the malware campaign is still ongoing elsewhere.

Powered by WPeMatico