@RISK Newsletter for February 07, 2013
The consensus security vulnerability alert.
Vol. 13, Num. 6
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 1/30/2013 - 2/5/2013
TOP VULNERABILITY THIS WEEK: Exploit code was released in Metasploit
impacting up to approximately 50 million machines with vulnerable
versions of UPnP exposed to the Internet, a figure which was derived
from HD Moore’s recent full scan of all IPv4 address space. While
vendors of the most popular UPnP libraries are rushing to issue patches,
since many of the impacted devices are embedded (home routers, IP
televisions, etc.), downstream patches are likely to be some time
coming. Administrators of home and professional networks are strongly
advised to cut off UPnP from the Internet on their networks immediately.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: HD Moore releases UPnP exploits impacting over 40 million devices
Description: Drawing on research from this summer in which Moore scanned
the entire IPv4 address space and mapped out available resources,
Metasploit on Monday released a group of UPnP exploits that should
impact between 40 and 50 million machines that are directly accessible
on the Internet. Impacting a wide swath of systems, from home routers
to printers and IP cameras, these exploits - though already patched in
the most popular libraries implenting the protocol - have the potential
to wreak serious havoc across the Internet, as previously impractical
attacks on personal computing devices can now be completed in many cases
with a single UDP packet. Network administrators are strongly urged to
cut off UPnP at their gateways, as leaving the protocol accessible to
the Internet is problematic even without the use of a specific exploit.
Reference:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
http://www.youtube.com/watch?v=b-uPh99whw4
Snort SID: 25589 25601 25617-25620
ClamAV: N/A
Title: New D/TLS attacks published
Description: Researchers Nadhem AlFardan and Kenneth Patterson on Monday
released a paper demonstrating attacks on the TLS and DTLS protocols,
the most popular ways to encrypt data on the Internet today. While the
attacks require complex statistical analysis in order to decrypt the
messages, code to exploit these weaknesses is likely to emerge in the
wild in the relatively near term, due to the high potential value of a
successful attack. Network detection revolves around the fact that a
large number of requests must be sent to crack the encryption, similar
to the SSL-BEAST attack of 2011. Vendors ranging from Microsoft to
OpenSSL have released announcements on the subject, either verifying
that their implementations are already secure, releasing patches, or
confirming current patch development. Users are encouraged to upgrade
all SSL-capable applications on their systems/networks as soon as
feasible.
Reference:
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Snort SID: 20212
ClamAV:
Title: Opera use-after-free proof-of-concept released
Description: Opera released an update last week that fixed a
vulnerability due to a use-after-free violation in its DOM modeling. As
proof-of-concept code was released this past weekend, exploitation is
presumed to be occurring in the wild already. Users of Opera are
strongly urged to patch to the latest version immediately.
Reference:
http://pastie.org/6029531#
http://www.opera.com/support/kb/view/1042/
Snort SID: 25621 25622
ClamAV: HTML.Exploit.SVG
Title: iOS 6.x Jailbreak released
Description: A group known as Evasi0n released an iOS 6.x jailbreak this
weekend, which early reports estimate has been downloaded over 800,000
times as of Tuesday night. The vulnerability being exploited - a local
privilege escalation piggybacking on a backup application - presents
essentially no threat to random users on the Internet, but enables
device privileges for a variety of hardware platforms. As of the time
of publication, no response from Apple had been announced.
Reference:
http://www.geek.com/articles/mobile/how-did-evasi0n-manage-to-jailbreak-ios-6-1-2013025/
http://intrepidusgroup.com/insight/2013/02/evading-evasi0n/
http://cydia.saurik.com/
Snort SID: 25613, 25614, 25615, 25616
ClamAV: Osx.Exploit.Iosjailbreak, Unix.Exploit.Iosjailbreak,
Win.Exploit.Iosjailbreak
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Digital certificates and malware: a dangerous mix:
http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/
Bicololo malware spreading via 404 targeting Russians:
http://thehackernews.com/2013/02/bicololo-malware-spreading-via-404.html#_
Lucky 13: Breaking the TLS and DTLS Protocols:
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Why does Google prepend while(1); to their JSON responses?
http://www.reddit.com/r/netsec/comments/17xzlw/why_does_google_prepend_while1_to_their_json/
FBI banned from Iceland:
http://rixstep.com/1/20130131,00.shtml
The CVE-2012-4792 and the “spear phishing” rotary domains, part 2:
http://community.websense.com/blogs/securitylabs/archive/2013/02/05/The-CVE_2D00_2012_2D00_4792-and-the-Spearphishing-Rotary-domains-Part-2.aspx
Video: World’s first computer virus was created by two Pakistanis in 1986:
http://outsidelens.scmagazine.com/video/World-First-Computer-Virus-Was;Malware
Crooks net millions in coordinated ATM heists:
http://krebsonsecurity.com/2013/02/crooks-net-millions-in-coordinated-atm-heists/
Kaspersky AV update cripples Internet for thousands of Windows XP machines:
http://thenextweb.com/apps/2013/02/05/kaspersky-antivirus-update-cripples-internet-for-thousands-of-windows-xp-machines/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Multiple vulnerabilities in Oracle Java 7 before Update 11
allow remote attackers to execute arbitrary code by (1) using the public
getMBeanInstantiator method in the JmxMBeanServer class to obtain a
reference to a private MBeanInstantiator object, then retrieving
arbitrary Class references using the findClass method, and (2) using the
Reflection API with recursion in a way that bypasses a security check
by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method
due to the inability of the sun.reflect.Reflection.getCallerClass method
to skip frames related to the new reflection API, as exploited in the
wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and
a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE:
some parties have mapped the recursive Reflection API issue to
CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose
details are not public as of 20130114. CVE-2013-0422 covers both the
JMX/MBean and Reflection API issues. NOTE: it was originally reported
that Java 6 was also vulnerable, but the reporter has retracted this
claim, stating that Java 6 is not exploitable because the relevant code
is called in a way that does not bypass security checks. NOTE: as of
20130114, a reliable third party has claimed that the
findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update
- If there is still a vulnerable condition, then a separate CVE
identifier might be created for the unfixed issue.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0156
Title: Ruby on Rails XML Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: active_support/core_ext/hash/conversions.rb in Ruby on
Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x
before 3.2.11 does not properly restrict casts of string values, which
allows remote attackers to conduct object-injection attacks and execute
arbitrary code, or cause a denial of service (memory and CPU
consumption) involving nested XML entity references, by leveraging
Action Pack support for (1) YAML type conversion or (2) Symbol type
conversion.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-5088
Title: Java Applet Method Handle Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors related to Libraries.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-5076
Title: Java Applet AverageRangeStatisticImpl Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote
attackers to affect confidentiality, integrity, and availability,
related to JAX-WS.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0333
Title: Ruby on Rails JSON Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: A remote exploitation of an input validation error
vulnerability in versions prior to 3.0.20, 2.3.16 of Ruby on Rails.
The vulnerable application fails to validate specially crafted JSON
requests that are processed by the YAML parser. This vulnerability is
very similar to CVE-2013-0156.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-5958
Title: Portable UPnP SDK unique_service_name() Remote Code Execution
Vendor: libupnp.org
Description: Stack-based buffer overflow in the unique_service_name
function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK
for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices)
before 1.6.18 allows remote attackers to execute arbitrary code via a
UDP packet with a crafted string that is not properly handled after a
certain pointer subtraction.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 1/30/2013 - 2/5/2013 COMPILED BY SOURCEFIRE
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok