December 22, 2024

Critical Vulnerability Impacting Hotel Wifi Networks Uncovered

Posted on March 26, 2015 by in Security

A serious security hole affecting a popular Internet gateway device used in hotels and convention centers has been closed.

The vulnerability affects ANTlabs’ InnGate, which is designed for operating corporate visitor-based networks. According to security firm Cylance, the vulnerability can be exploited to allow an attacker to monitor or tamper with traffic to and from any hotel Wifi user’s connection and potentially gain access to a hotel’s property management system.

Cylance reports that 277 hotels, convention centers and data centers across 29 countries are affected. At its core, the vulnerability is due to a misconfigured rsync instance included in the InnGate firmware. If exploited, the attacker would have read/write access to the entire file system without authentication.

“CVE-2015-0932 gives an attacker full read and write access to the file system of an ANTLabs’ InnGate device,” explained Brian Wallace, senior researcher at Cylance, in a blog post. “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”

“When an attacker gains full read and write access to a Linux file system, it’s trivial to then turn that into remote code execution,” he continued. “The attacker could upload a backdoored version of nearly any executable on the system and then gain execution control, or simply add an additional user with root level access and a password known to the attacker. Once full file system access is obtained, the endpoint is at the mercy of the attacker.”

If an attacker has compromised a vulnerable InnGate device at a hotel, obtained shell access via SSH and created an account for themselves with root access, they could run tcpdump and dump all network traffic going through the devices. This would allow an attacker to collect any plaintext communication sent through the gateway of the affected hotel or location, Wallace blogged.

“A slightly more sophisticated attacker could use a tool such as SSLStrip in order to attempt to downgrade the transport layer encryption in order to increase the amount of plaintext credentials gathered,” Wallace noted. “This attack gives the threat actor incredible leverage over their targets including making OpenSSL vulnerabilities easier to exploit.”

ANTlabs released a patch for the issue today. The vulnerable devices include:   

  • IG 3100 model 3100, model 3101
  • InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
  • InnGate 3.01 G-Series, 3.10 G-Series

Hotel networks offer a potentially attractive target for cyber-espionage groups. Last year, an advanced persistent threat (APT) group was discovered targeting Wifi networks at hotels in Asia. In addition, the FBI and the Internet Crime Complaint Center warned in 2012 that attackers were targeting travelers abroad through malicious pop-up windows when they established an Internet connection in their hotel rooms. 

“While the DarkHotel campaign was clearly carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact,” Wallace wrote. “The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Vulnerability Found in Yoast’s Google Analytics WordPress Plugin

Posted on March 21, 2015 by in Security

Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code.

Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account.

The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin.

According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel.

The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials.

The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel.

“Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.”

The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar.

This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Network Vision Fixes Code Injection Vulnerability in IntraVUE Software

Posted on February 27, 2015 by in Security

Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

A code injection flaw (CVE-2015-0977) has been found in IntraVUE by Jürgen Bilberger from Daimler TSS GmbH, a security researcher who has discovered and reported vulnerabilities in several industrial control system (ICS) products over the past years.IntraVUE by Network Vision

According to an advisory from ICS-CERT, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary operating system commands that could impact the availability, integrity, and confidentiality of affected servers.

This is a high-severity vulnerability with a CVSS base score of 10. Even an attacker with low skill could leverage the bug, but there is no evidence that an exploit is publicly available, ICS-CERT noted.

The security hole affects all Windows versions of IntraVUE prior to 2.3.0a14. The issue has been addressed with the release of IntraVUE 2.3.0a14 on February 9. In the meantime, Network Vision also released version 2.3.0a16, which brings some functionality improvements.

“It is recommended that the new version be applied as soon as possible. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost,” reads the advisory from ICS-CERT.

Network Vision is a Newburyport, Massachusetts-based company that provides industrial Ethernet solutions for sectors such as automation, critical manufacturing, transportation, and water systems.

IntraVUE, the company’s flagship product, is designed to provide Ethernet device visualization and enable organizations to quickly identify issues affecting devices deployed in distributed and hostile environments. The solution can be used to identify duplicate MAC and IP addresses, connection or application faults, device or cable moves, and unauthorized connections.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Facebook Users Targeted Via Android Same Origin Policy Vulnerability

Posted on December 29, 2014 by in Security

 Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

  1. Add friends
  2. Like and follow Facebook pages
  3. Modify subscriptions
  4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
  6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Apple, Microsoft, GitHub Release Updates to Fix Critical Git Vulnerability

Posted on December 19, 2014 by in Security

The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer’s machine.

The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (1.8.5.6, 1.9.5, 2.0.5, 2.1.4).

The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.

GitHub for Windows and GitHub for Mac have been updated to address the vulnerability. GitHub says GitHub Enterprise and github.com are not directly affected, but users are advised to update their clients as soon as possible.

Maintenance versions that include the fix for this flaw have also been released for libgit2 and JGit, two major Git libraries. Since Microsoft uses libgit2 in Visual Studio products, the company has rolled out patches for Visual Studio Online, Codeplex, Visual Studio Team Foundation Server (TFS) 2013, Visual Studio 2013 RTM, Visual Studio 2013 Update 4, and for the VS 2012 VSIX extension.

Apple’s integrated development environment Xcode also uses Git. The issue has been addressed by adding additional checks in Xcode 6.2 beta 3.

The disclosure of the vulnerability and the release of patches have been coordinated by all affected parties.

“The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vicent Marti explained in a blog post.

Marti noted that the flaw doesn’t affect Linux clients if they run in a case-sensitive filesystem. However, Junio Hamano, who maintains Git since 2005, has pointed out that some Linux users might also have to take measures.

“Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git,” Hamano said in an advisory.

Microsoft’s Brian Harry believes that an attack leveraging this vulnerability is likely to work only in certain environments.

“For someone to do this to you, they have to have commit rights to a repo that you pull from. Inside a corporation, that would likely have to be an attack from the inside. The most likely (not only, but most likely) scenario here is in some small OSS project. Large ones generally have pretty well known/trusted committers,” Harry said.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Recently Patched Flash Player Vulnerability Added to Exploit Kit

Posted on October 23, 2014 by in Security

An exploit for a Flash Player vulnerability that was patched just over one week ago by Adobe has already been added by cybercriminals to an exploit kit.

The French malware researcher know as “Kafeine” was the one who first noticed the integration of the exploit for CVE-2014-0569, a Flash Player integer overflow flaw that could lead to arbitrary code execution, into the Fiesta exploit kit. The expert made the discovery while trying to analyze a different Flash vulnerability (CVE-2014-0556).

The vulnerability was reported to Adobe privately through HP’s Zero Day Initiative (ZDI) program so everyone is wondering how the cybercriminals managed to get their hands on the exploit in such a short period of time.

Kafeine told SecurityWeek that he believes the cybercriminals reverse engineered the patch released by Adobe to build their exploit.

“The criminals built this vulnerability into an exploit kit in record time. Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” Jerome Segura, senior security researcher from Malwarebytes Labs, told SecurityWeek. “Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”

“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase. This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later,” Segura added.

Initially, Kafeine believed the exploit for CVE-2014-0569 was integrated into the Angler exploit kit as well, but in an update made to his original blog post, the researcher noted that the exploit included in Angler actually appears to be for a different Flash vulnerability patched by Adobe last week.

In the case of the Angler exploit kit, the first payload that’s distributed is Bedep (detected by Malwarebytes as Trojan.FakeMS.ED), which enrolls infected computers into a botnet. The final payload is a variant of the notorious Zeus banking Trojan, Kafeine said.

Both the Fiesta and Angler exploit kits are popular among cybercriminals. Angler was recently involved in a malvertising campaign targeting several high-profile websites, including Java.com.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Feedback Friday: ‘Shellshock’ Vulnerability – Industry Reactions

Posted on September 28, 2014 by in Security

The existence of a highly critical vulnerability affecting the GNU Bourne Again Shell (Bash) has been brought to light this week. The security flaw is considered by some members of the industry as being worse than the notorious Heartbleed bug.

Feedback Friday

GNU Bash is a command-line shell used in many Linux, Unix and Mac OS X operating systems. The vulnerability (CVE-2014-6271) has been dubbed “Bash Bug” or “Shellshock” and it affects not only Web servers, but also Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems.

By exploiting the security hole, an attacker can execute arbitrary commands and take over targeted machine. Symantec believes that the most likely route of attack is through Web servers that use CGI (Common Gateway Interface). There have already been reports of limited, targeted attacks exploiting the vulnerability.

A patch has been made available, but it’s incomplete. Until a permanent fix is rolled out, several organizations have launched Shellshock detection tools. Errata Security has started scanning the Web to find out how many systems are affected, and Symantec has published a video to demonstrate how the flaw can be exploited.

The security community warns that the vulnerability can have serious effects, and points out that it could take a long time until all systems are patched.

And the Feedback Begins…

Ian Pratt, Co-founder and EVP at Bromium:

 “The ‘shellshock’ bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing Linux/Unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface — this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or use minimalist shells where required.”

 

Mark Parker, Senior Product Manager at iSheriff:

 “This bash vulnerability is going to prove to be a much bigger headache than Heartbleed was. In addition to the general Mac OS X, Linux and Unix systems that need to be patched, there are also thousands upon thousands of Internet connected Linux and Unix based embedded devices, such as DVRs, home automation systems, automotive entertainment systems, mobile phones, home routers, manufacturing systems and printers.

Most of these devices will be susceptible because most Linux based devices run bash, it is such an integral part of the Linux OS. I anticipate that we will be continue to see the fallout from this vulnerability for a long time to come.”

Carl Wright, General Manager of TrapX Security:

“We feel that industry will take this very seriously and come out with patches for this vulnerability ASAP. It could take us years to understand how many systems were compromised and how many were used to escalate privileges into systems without this vulnerability. The transitive trust nature of directory architectures and authentications systems could mean we are living with this far beyond patching the current systems if this exploit has been taken advantage of even at a small 1% level.”

Coby Sella, CEO of Discretix:

“This is the second time over the last six months when a key infrastructure component used by billions of connected things across a variety of industries has been compromised. We see this problem only getting worse as more and more unsecured or not adequately secured things are rolled out without any comprehensive security solution that reaches all the way down to the chipset. Real solutions to this problem must cover every layer from the chipset to the cloud enabling companies to remotely insert secrets into the chipset layer via secured connections within their private or cloud infrastructure.”

Nat Kausik, CEO, Bitglass:

“Enterprises with ‘trusted endpoint’ security models for laptops and mobile devices are particularly vulnerable to this flaw.  Malware can exploit this vulnerability on unix-based laptops such as Mac and Chromebook when the user is away from the office, and then spread inside the corporate network once the user returns to the office.”

Steve Durbin, Managing Director of the Information Security Forum:

“The Bash vulnerability simply stresses the point that there is no such thing as 100% security and that we all need to take a very circumspect and practical approach to how we make use of the devices that we use to share data both within and outside the home and our businesses. I have my doubts on whether or not this will lead to a wave of cyber-attacks, but that is not to say that the vulnerability shouldn’t be taken seriously. It is incumbent upon all of us as users to guard our data and take all reasonable precautions to ensure that we are protecting our information as best as we are realistically able.”

Steve Lowing, Director of Product Management, Promisec:

 “Generally, the Bash vulnerability could be really bad for systems, such as smart devices including IP cameras, appliances, embedded web servers on routers, etc… which are not updated frequently. The exposure for most endpoints is rapidly being addressed in the form of patches to all flavors of UNIX including Redhat and OS X. Fortunately for Microsoft, they avoid much of this pain since most Windows systems do not have Bash installed on them.

For vulnerable systems, depending on how they are leveraging the Bash shell the results could be grave. For example, a webserver that uses CGI for example would likely be configured to use Bash as the shell for executing commands and compromising this system via this vulnerability is fairly straightforward. The consequences could be to delete all web content which could mean Service level agreements (SLA)s are not met because of complete outage or deface the site which tarnishes your brand or even to be a point of infiltration for a targeted attack which could mean IP and/or sensitive customer information loss.

The IoT is the likely under the biggest risk since many of these devices and appliances are not under subject to frequent software updates like a desktop or laptop or server would be. This could result in many places for an attacker to break into and lay wait for sensitive information to come their way.”

Jason Lewis, Chief Collection and Intelligence Officer, Lookingglass Cyber Solutions:

 “The original vulnerability was patched by CVE-2014-6271. Unfortunately this patch did not completely fix the problem. This means even patched systems are vulnerable.

 

Several proof of concepts have been released.  The exploit has the ability to turn into a worm, so someone could unleash an exploit to potentially infect a huge number of hosts.”

Ron Gula, Chief Executive Officer and Chief Technical Officer, Tenable Network Security: 

 “Auditing systems for ShellShock will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy. With ShellShock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that don’t have mature relationships with their IT administrators may not be able to audit for this.

 

Detecting the exploit of this is tricky. There are network IDS rules to detect the attack on unencrypted (non-SSL) web servers, but IDS rules to look for this attack over SSL or SSH won’t work. Instead, solutions which can monitor the commands run by servers and desktops can be used to identify commands which are new, anomalistic and suspect.”

Mike Spanbauer, Managing Director of Research, NSS Labs:

“Bash is an interpretive shell that makes a series of commands easy to implement on a Unix derivative. Linux is quite prevalent today throughout the Web, both as commerce platform and as commercial website platform. It happens to be the default script shell for Unix, Linux, well… you get the picture.

The core issue is that while initially the vulnerability highlights the ease with which an attacker might take over a Web server running CGI scripting, and ultimately, ‘get shell’ which offers the attacker the means to reconfigure the access environment, get to sensitive data or compromise the victim machine in many ways.

As we get to the bottom of this issue, it will certainly be revealed just how bad this particular discovery is – but there is a chance it’s bigger than Heartbleed, and that resulted in thousands of admin hours globally applying patches and fixes earlier this year.”

Contrast Security CTO and co-founder Jeff Williams:

 “This is a pretty bad bug. The problem happens because bash supports a little used syntax for ‘exported functions’ – basically a way to define a function and make it available in a child shell.   There’s a bug that continues to execute commands that are defined after the exported function.

So if you send an HTTP request with a referrer header that looks like this: Referer:() { :; }; ping -c 1 11.22.33.44. The exported function is defined by this crazy syntax () { :; };  And the bash interpreter will just keep executing commands after that function.  In this case, it will attempt to send a ping request home, thus revealing that the server is susceptible to the attack.

Fortunately there are some mitigating factors.  First, this only applies to systems that do the following things in order: 1) Accept some data from an untrusted source, like an HTTP request header, 2) Assign that data to an environment variable, 3) Execute a bash shell (either directly or through a system call).

If they send in the right data, the attacker will have achieved the holy grail of application security: ‘Remote Command Execution.’  An RCE basically means they have completely taken over the host.

Passing around data this way is a pretty bad idea, but it was the pattern back in the CGI days.  Unfortunately, there are still a lot of servers that work that way.  Even worse, custom applications may have been programmed this way, and they won’t be easy to scan for.  So we’re going to see instances of this problem for a long long time.”

Tal Klein, Vice President of Strategy at Adallom:

 “What I don’t like to see is people comparing Shellshock to Heartbleed. Shellshock is exponentially more dangerous because it allows remote code execution, meaning a successful attack could lead to the zombification of hosts. We’ve already seen one self-replicating Shellshock worm in the wild, and we’ve already seen one patch circumvention technique that requires patched Bash to be augmented in order to be ‘truly patched’. What I’m saying is that generally I hate people who wave the red flag about vulnerabilities, but this is a 10 out of 10 on the awful scale and poses a real threat to core infrastructure. Take it seriously.”

Michael Sutton, Vice President of Security Research at Zscaler:

 “Robert Graham has called the ‘Shellshock’ vulnerability affecting bash ‘bigger than Heartbleed.’ That’s a position we could defend or refute, it all depends upon how you define bigger. Will more systems be affected? Definitely. While both bash and OpenSSL, which was impacted by Heartbleed, are extremely common, bash can be found on virtually all *nix system, while the same can’t be said for OpenSSL as many systems simply would require SSL communication. That said, we must also consider exploitability and here is where I don’t feel that the risk posed by Shellshock will eclipse Heartbleed.

Exploiting Heartbleed was (is) trivially easy. The same simple malformed ‘heartbeat’ request would trigger data leakage on virtually any vulnerable system. This isn’t true for Shellshock as exploitation is dependent upon influencing bash environment variables. Doing so remotely will depend upon the exposed applications that interact with bash. Therefore, this won’t quite be a ‘one size fits all’ attack. Rather, the attacker will first need to probe servers to determine not only those that are vulnerable, but also how they can inject code into bash environment variables.

The difference here is that we have to take application logic into account with Shellshock and that was not required with Heartbleed. That said, we’re in very much in the same boat having potentially millions of vulnerable machines, many of which will simply never be patched. Shellshock, like Heartbleed, will live on indefinitely.”

Mamoon Yunus, CEO of Forum Systems: 

“The Bash vulnerability has the potential to be much worse than Heartbleed. Leaking sensitive data is obviously bad but the Bash vulnerability could lead to losing control of your entire system.

The Bash vulnerability is a prime example of why it’s critical to take a lockdown approach to open, free-for-all shell access, a practice that is all too common for on-premise and cloud-based servers. Mobile applications have caused an explosion in the number of services being built and deployed. Such services are hosted on vanilla Linux OS variants with little consideration given to security and are typically close to the corporate edge. Furthermore, a large number of vendors use open Linux OSes, install their proprietary functionality, and package commercial network devices that live close to the network edge at Tier 0. They do so with full shell access instead of building a locked-down CLI for configuration.

The Bash vulnerability is a wake-up call for corporations that continue to deploy business functionality at the edge without protecting their services and API with hardened devices that do not provide a shell-prompt for unfettered access to OS internals for anyone to exploit.”

Jody Brazil, CEO of FireMon:

“This is the kind of vulnerability that can be exploited by an external attacker with malicious intent. So, how do those from the Internet, partner networks or other outside connection gain access to this type of exposure?

An attack vector analysis that considers network access through firewalls and addresses translation can help identify which systems are truly exposed. Then, determine if it’s possible to mitigate the risk by blocking access, even temporarily. In those cases where this is not an option, prioritizing patching is essential. In other cases where, for example, where there is remote access to a vulnerable system that is not business-critical, access can be denied using existing firewalls.

This helps security organizations focus their immediate patching efforts and maximize staffing resources. It’s critical to identify the greatest risk and then prioritize remediation activities accordingly. Those are key best practices to address Bash or any vulnerability of this nature.”

Mark Stanislav, Security Researcher at Duo Security:

“While Heartbleed eventually became an easy vulnerability to exploit, it was ultimately time consuming, unreliable and rarely resulted in ‘useful’ data output. Shell Shock, however, effectively gives an attacker remote code execution on any impacted host with a much easier means to exploit than Heartbleed and greater potential results for criminals.

Once a web application or similarly afflicted application is found to be vulnerable, an attacker can do anything from download software, to read/write system files, to escalating privilege on the host or across internal networks. More damning, of course, is that the original patch to this issue seems to be flawed and now it’s a race to get a better patch released and deployed before attackers leverage this critical bug.”

Rob Sadowski, Director of Technology Solutions at RSA:

“This is a very challenging vulnerability to manage because the scope of potentially affected systems is very large, and can be exploited in a wide variety of forms across multiple attack surfaces. Further, there is no single obvious signature to help comprehensively detect attempts to exploit the vulnerability, as there are so many apps that access BASH in many different ways.

Because many organizations had to recently manage a vulnerability with similar broad scope in Heartbleed, they may have improved their processes to rapidly identify and remediate affected systems which they can leverage in their efforts here.” 

Joe Barrett, Senior Security Consultant, Foreground Security:

 “Right now, Shellshock is making people drop everything and scramble to fix patches. Security experts are still expanding the scope of vulnerability, finding more devices and more methods in which this vulnerability can be exploited. But no one has gotten hacked and been able to turn around and point and say ‘It was because of shellshock’ that I’ve seen.

 

If you have a Linux box, patch it. Now. Do you have a Windows box using Cygwin? Update Cygwin to patch it. And then start trying to categorize all of the ‘other’ devices on the network and determining if they might be vulnerable. Because chances are a lot of them are.

Unfortunately, vendors probably will never release patches to solve this for most appliances, because most [Internet-connected] appliances don’t even provide a way to apply such an update. But for the most part all you can do is try to identify affected boxes and move them behind firewalls and out of the way of anyone’s ability to reach them. Realistically, we’ll probably still be exploiting this bug in penetration tests in 8 years. Not to mention all of the actual bad guys who will be exploiting this.”

Until Next Friday…Have a Great Weekend!

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Asus Patches Firmware Security Vulnerability

Posted on February 18, 2014 by in Security

It is not uncommon for vendors to give security advisories. This time however, it appears a hacker gave at least one victim an unexpected heads up.

According to Ars Technica, a user of an Asus router uncovered a text file on his external hard drive. The message read as follows: “This is an automated message being sent out to everyone effected. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.”

The note also instructed the user to read information on how to protect against the attack, which took advantage of a vulnerability uncovered last year by researcher Kyle Lovett. According to Lovett, the issue allows hackers to “traverse to any external storage plugged in through the USB ports on the back of the router.”

Asus did not respond to a request for comment on the issue. However, Softpedia reported that the vulnerability was addressed last week in a firmware update by Asus.

Earlier this month, a list of nearly 13,000 IP addresses reportedly tied to the vulnerable routers was posted on the Internet. The list contained the names of files stored on the hard drives of impacted users have been published as well.

The list of impacted routers includes RT-N66U, RT-N66R, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, RT-N16R, RT-AC66R and RT-AC66U. More information about the updates for each model can be found here.

Just recently, researchers at the SANS Institute warned about a worm exploiting a vulnerability in several Linksys routers. The worm, dubbed ‘TheMoon’, takes advantage of a flaw that has since been patched by Linksys. Users are advised to apply the relevant updates.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed