Tag Archives: Vulnerability

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices


If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on…

…we have got another one for you which is even worse.

Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies.

It’s noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn’t affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).

Infineon’s Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes.

This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have released a blog post with more details about the weakness as well as an online tool to test if RSA keys are vulnerable to this dangerous flaw.

ROCA: Factorization Attack to Recover Private RSA Keys

Dubbed ROCA (Return of Coppersmith’s Attack), the factorization attack introduced by the researchers could potentially allow a remote attacker to reverse-calculate a private encryption key just by having a target’s public key—thanks to this bug.

“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required,” the researchers said. “The vulnerability does NOT depend on a weak or a faulty random number generator—all RSA keys generated by a vulnerable chip are impacted.”

This could eventually allow the attacker to impersonate key owner, decrypt victim’s sensitive data, inject malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with the targeted computer.

ROCA Attack Exposes Billions of Devices to Attack


The ROCA attack affects chips manufactured by Infineon as early as 2012 and is feasible for key lengths, including 1024 and 2048 bits, which is most commonly used in the national identity cards, on PC motherboards to securely store passwords, in authentication tokens, during secure browsing, during software and application signing, and with message protection like PGP.

The flaw also weakens the security of government and corporate computers protected using Infineon’s cryptographic library and chips.

Majority of Windows and Google Chromebook devices developed by HP, Lenovo and Fujitsu are amongst those affected by the ROCA attack.

“We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP,” the researchers said. 

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable.”

More Details, Testing Tool, and Patches

The security researchers have released a brief blog post about the flaw, which includes a number of tools for detection, mitigation and workarounds.

The vulnerability was discovered and reported to Infineon Technologies in February this year and the researchers will present their full findings, including the factorization method, on November 2nd at the ACM Conference on Computer and Communications Security.

Their research paper, titled “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli” (ROCA), will also be released after their presentation.

So, companies and organisations have enough time to change affected encryption keys before the details of how this vulnerability works and could be exploited are released.

Major vendors including InfineonMicrosoft, Google, HP, Lenovo, and Fujitsu have already released the software updates for their relevant hardware and software as well as guidelines for a mitigation of this vulnerability.

“Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system),” according to a Microsoft advisory. “Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys.”

Therefore, users are strongly recommended to patch their devices as soon as possible—AGAIN!

Powered by WPeMatico

Yet Another Linux Kernel Privilege-Escalation Bug Discovered

Security researchers have discovered a new privilege-escalation vulnerability in Linux kernel that could allow a local attacker to execute code on the affected systems with elevated privileges.

Discovered by Venustech ADLab (Active-Defense Lab) researchers, the Linux kernel vulnerability (CVE-2017-15265) is due to a use-after-free memory error in the Advanced Linux Sound Architecture (ALSA) sequencer interface of the affected application.

The Advanced Linux Sound Architecture (ALSA) provides audio and MIDI functionality to the Linux operating system, and also bundles a userspace driven library for application developers, enabling direct (kernel) interaction with sound devices through ALSA libraries.

Successful exploitation of this vulnerability requires an attacker—with local access on the targeted system—to execute a maliciously crafted application on a targeted system, which allows the attacker to elevate his privilege to root on the targeted system, a Cisco advisory warned.

The vulnerability affects major distributions of the Linux operating system including RedHat, Debian, Ubuntu, and Suse, and is triggered by a slip in snd_seq_create_port().

This “snd_seq_create_port() creates a port object and returns its pointer, but it doesn’t take the refcount, thus it can be deleted immediately by another thread,” the researchers wrote in an advisory published Wednesday. 

“Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free.”

The vulnerability has been patched in Linux kernel version 4.13.4-2, which was fixed just by taking the refcount properly at “snd_seq_create_port()” and letting the caller unref the object after use.

Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distro. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.

This flaw is yet another privilege escalation vulnerability recently uncovered in the Linux kernel.

Last month, a high-risk 2-year-old potential local privilege escalation flaw was patched in the Linux kernel that affected all major Linux distributions, including Red Hat, Debian, and CentOS.

In February, another privilege-escalation vulnerability that dates back to 2011 disclosed and patched in the Linux kernel which also affected major Linux distro, including Redhat, Debian, OpenSUSE, and Ubuntu.

Powered by WPeMatico

First Android Malware Found Exploiting Dirty COW Linux Flaw to Gain Root Privileges


Nearly a year after the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users, researchers have warned.

Publicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel—a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu—for years and was actively exploited in the wild.

The vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks.

However, security researchers from Trend Micro published a blog post on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU.

This is the first time we have seen a malware sample to contain an exploit for the vulnerability designed to compromise devices running on the mobile platform.

This Dirty Cow Exploit found in Over 1,200 Android Apps

The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android’s Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number.

Trend Micro researchers detected the ZNIU malware in more than 1,200 malicious Android apps—some of which disguised themselves as pornography and gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.

While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU’s Dirty Cow exploit only affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit can be used to bypass SELinux and plant backdoors.

“We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805),” the researchers said. 

“ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot.”

Here’s How the ZNIU’s Dirty Cow exploit Works


Once downloaded and installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to check for code updates, while simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass system restrictions and “plant a backdoor for potential remote control attacks in the future.”

The malware also harvests the carrier information of the user and attempts to send payments via premium SMS messages that were directed to a dummy company in China.

Once the SMS transaction is over, the malware also deletes the messages from the device in order to erase evidence of any compromise.

The researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia.

Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.

The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.

Powered by WPeMatico

Apache Struts 2 Flaws Affect Multiple Cisco Products


After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework.

Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

However, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities—one discovered earlier this month, and another in March—one of which is believed to be used to breach personal data of over 143 million Equifax users.

Some of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws.

Cisco Launches Apache Struts Vulnerability Hunting

Cisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) we reported on September 5 and the remaining three also disclosed last week.

However, the remote code execution bug (CVE-2017-5638) that was actively exploited back in March this year is not included by the company in its recent security audit.

The three vulnerabilities—CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805—included in the Cisco security audit was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues.

The fourth vulnerability (CVE-2017-12611) that is being investigated by Cisco was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system.

Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware

Coming on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them.

This could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco’s Threat intelligence firm Talos has observed that this flaw is under active exploitation to find vulnerable servers.

Security researchers from data centre security vendor Imperva recently detected and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload.

The majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe.

Out of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to “insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.”

This flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems.

The last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts.

Cisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services.

At the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the Cisco Bug Search Tool.

Since the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.

Powered by WPeMatico

Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers


Security researchers have discovered a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers.

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON.

The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.

All versions of Apache Struts since 2008 (from Struts 2.5 to Struts 2.5.12) are affected, leaving all web applications using the framework’s REST plugin vulnerable to remote attackers.

According to one of the security researchers at LGTM, who discovered this flaw, the Struts framework is being used by “an incredibly large number and variety of organisations,” including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

“On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,” Man Yue Mo, an LGTM security researcher said.

All an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.

Mo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.

Many Java applications have since been affected by multiple similar vulnerabilities in recent years.

Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.

More technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.

Powered by WPeMatico

Critical Code Injection Flaw In Gnome File Manager Leaves Linux Users Open to Hacking


A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered by German researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his blog to demonstrate the vulnerability.

The code injection vulnerability resides in “gnome-exe-thumbnailer” — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application installed on their systems to open it.

Those who are unaware, Wine is a free and open-source software that allows Windows applications to run on the Linux operating system.

Moskopp discovered that while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.

For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine,” Moskopp explains while demonstrating his PoC. 

“The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”

The flaw can be exploited by potential hackers using other attack vectors as well, for example, by directly inserting a USB-drive with a malicious file stored on it, or delivering the malicious file via drive-by-downloads.

How to Protect Yourself from Bad Taste

Moskopp reported the vulnerability to the GNOME Project and the Debian Project. Both of them patched the vulnerability in the gnome-exe-thumbnailer file.

The vulnerability affects gnome-exe-thumbnailer before 0.9.5 version. So, if you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.

Meanwhile, Moskopp also advised users to:

  • Delete all files in /usr/share/thumbnailers.
  • Do not use GNOME Files.
  • Uninstall any software that facilitates automatically execution of filenames as code.

Moskopp also advised developers to not use “bug-ridden ad-hoc parsers” to parse files, to “fully recognise inputs before processing them,” and to use unparsers, instead of templates.

Powered by WPeMatico

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk


Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say. 

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

Powered by WPeMatico

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!


A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.

Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension.

To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.

Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”

Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.

Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.

The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

Ormandy alerted the networking giant to an RCE flaw in the WebEx browser extension earlier this year as well, which even led to Google and Mozilla temporarily removing the add-on from their stores.

Powered by WPeMatico

Researchers Crack 1024-bit RSA Encryption in GnuPG Crypto Library


Security boffins have discovered a critical vulnerability in a GnuPG cryptographic library that allowed the researchers to completely break RSA-1024 and successfully extract the secret RSA key to decrypt data.

Gnu Privacy Guard (GnuPG or GPG) is popular open source encryption software used by many operating systems from Linux and FreeBSD to Windows and macOS X.

It’s the same software used by the former NSA contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement.

The vulnerability, labeled CVE-2017-7526, resides in the Libgcrypt cryptographic library used by GnuPG, which is prone to local FLUSH+RELOAD side-channel attack.

A team of researchers — from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide — found that the “left-to-right sliding window” method used by the libgcrypt library for carrying out the mathematics of cryptography leaks significantly more information about exponent bits than for right-to-left, allowing full RSA key recovery.

“In this paper, we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion,” the researchers wrote in the research paper.

“The pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024.”

L3 Cache Side-Channel Attack requires an attacker to run arbitrary software on the hardware where the private RSA key is used.

The attack allows an attacker to extract the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.

“Thus in practice, there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines, this attack may be used by one VM to steal private keys from another VM,” Libgcrypt advisory reads.

Researchers have also provided evidence that the same side channel attack also works against RSA-2048, which require moderately more computation than RSA-1024.

The research paper titled, ‘Sliding right into disaster: Left-to-right sliding windows leak,’ was authored by Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Christine van Vredendaal, Tanja Lange and Yuval Yarom.

Libgcrypt has released a fix for the issue in Libgcrypt version 1.7.8. Debian and Ubuntu have already updated their library with the latest version of Libgcrypt.

So, you are strongly advised to check if your Linux distribution is running the latest version of the Libgcrypt library.

Powered by WPeMatico