Search

See Resources

@RISK Newsletter for December 20, 2012 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 51

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 12/13/2012 - 12/19/2012


TOP VULNERABILITY THIS WEEK: An arbitrary memory write vulnerability in

certain Samsung chipset drivers has been demonstrated in the wild, with
easy-to-use source code available for exploit generation. Attacks are
presumed to be commencing; Cyanogenmod has released a patch, but
mainstream Samsung device users have not yet received one, despite
claims that Samsung has a patch tested and available.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Samsung device driver arbitrary memory overwrite vulnerability
Description: A user by the name of alephzain posted details of a major
memory access vulnerability in devices using certain Samsung chipsets
and kernels, which allows Android applications being installed on a
device the ability to overwrite arbitrary system memory as root via the
/dev/exynos “System on a Chip” devices. The device is available in many
popular Samsung hardware platforms, including the Galaxy SII and SIII.
MEIZU MX, etc. Full details, including system libraries, sample exploit
code, etc. were published along with the writeup, and exploits are
presumed to be starting to circulate in the wild at this point. Multiple
users on XDA-Developers have posted patches, and Cyanogenmod has already
committed a fix for its users. Meanwhile, other users of the popular
Android development forum have charged that Samsung has had a patch for
this known “open source” issue for weeks and have not released a fix for
it, despite other updates having been pushed to their customers in the
interim, highlighting the serious issue of vendors’ and carriers’
reluctance to patch rapidly for mobile devices.
Reference:
http://forum.xda-developers.com/showthread.php?t=2048511
http://en.wikipedia.org/wiki/Exynos_(system_on_chip)
http://www.androidauthority.com/xda-developer-patches-samsung-exynos-chip-vulnerability-140742/
Snort SID:
ClamAV:

Title: FBI report says SCADA “Niagara” backdoor exploited in the US this year
Description: Using nothing more than the popular web device search
service Shodan, attackers in the wild have been exploiting an
authentication bypass vulnerability in the Niagara AX Framework, made
by Richmond, VA-based firm Tridium. The web interface for the framework,
by default, does not require a password, and provides full
administrative access to systems controlling HVAC in offices around the
world. The system was typically set up with floor plans, personnel and
departmental names, etc., providing a wealth of useful data for spear
phishers, social engineers, and the like. As of Wednesday, Dec. 19, no
notice was posted on the vendor’s site discussing a patch or any
mitigations for this vulnerability. Potentially impacted users are urged
to shut down unnecessary web services, and restrict access to any others
to only authorized, known IP addresses.
Reference:
http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf
http://www.shodanhq.com/search?q=niagara_audit+-login
http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/
http://www.tridium.com/cs/products_/_services/niagaraax
Snort SID: 25057
ClamAV: N/A

Title: Anonymous Doxes the WBC
Description: Members of the Anonymous collective posted personal and
professional contact details for members of the Westboro Baptist Church
online on Pastebin Sunday morning, apparently in response to the WBC’s
announcement that it would be protesting the funerals of those taken in
the recent tragedy in Newton, CT last week. Details of how the private
information was found were not detailed by Anonymous, and little
speculation has been put forward within the information security
community. The move coincided with other political moves surrounding the
group, such as a White House online petition that has gathered close to
200,000 signatures asking that the WBC be legally recognized as a hate
group.
Reference:
http://pastebin.com/2PmbBm8f
https://petitions.whitehouse.gov/petition/legally-recognize-westboro-baptist-church-hate-group/DYf3pH2d
Snort SID: N/A
ClamAV: N/A


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Setting HoneyTraps with ModSecurity: Unused Web Ports:
http://blog.spiderlabs.com/2012/12/setting-honeytraps-with-modsecurity-unused-web-ports.html

Why Google Maps is better than Apple Maps:
http://www.theatlantic.com/technology/archive/2012/12/why-google-maps-is-better-than-apple-maps/266218/

Has WWII carrier pigeon message been cracked?
http://www.bbc.co.uk/news/uk-20749632

Mercury Android malware system releases new version:
http://labs.mwrinfosecurity.com/blog/2012/12/14/whats-new-in-mercury-v2/

Scientific study of malware obfuscation techniques:
http://www.xors.me/?p=6126

Inside Impact Exploit Kit:
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

The Dexter malware: getting your hands dirty:
http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html

Lessons learned from US financial services DDoS attacks:
http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/

https://pentesterlab.com/from_sqli_to_shell_pg_edition.html


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell
File Reporter 1.0.2 allows remote attackers to upload and execute files
via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an
FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX “PrintControl.dll” Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the
CrystalReports12.CrystalPrintControl.1 ActiveX control in
PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2
allows remote attackers to execute arbitrary code via a long
ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and
possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x
before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows
remote authenticated users to execute arbitrary code via a long argument
to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


MOST PREVALENT MALWARE FILES 12/13/2012 - 12/19/2012 COMPILED BY SOURCEFIRE

(Virustotal links that are not found mean that the file that Sourcefire
is detecting has not yet been analyzed by Virustotal)

SHA 256: 806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8
MD5:
VirusTotal: https://www.virustotal.com/file/806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046
MD5:
VirusTotal: https://www.virustotal.com/ file/1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3
MD5:
VirusTotal: https://www.virustotal.com/file/7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33
MD5:
VirusTotal: https://www.virustotal.com/file/CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F
MD5:
VirusTotal: https://www.virustotal.com/file/883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics