Flaw

A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate microsoft.com address.

The issue was discovered by Utku Sen, a Turkey-based security enthusiast known for releasing an open source ransomware called Hidden Tear for educational purposes.

Sen found the issue while testing the spam filters of email services such as Outlook 365, Gmail and Yandex. During his tests, which he conducted using the Social Engineering Email Sender (SEES) tool, the expert noticed that Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.

It turned out that the emails detected as valid came from a spoofed microsoft.com email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed that Gmail also accepted the fake microsoft.com emails forwarded from Outlook as legitimate.

The method only worked with emails coming from a spoofed microsoft.com address. When other domains were used, the fake emails went straight to the spam folder.

Sen was unable to figure out the cause, but Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.

“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb explained. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at)microsoft.com, then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”

Sen informed both Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October, and listed the researcher on its acknowledgements page. Yandex removed the green validation icon, but it’s unclear if it was due to the expert’s report.

Related Reading: Email Is Forever - and It's Not Private

Related Reading: Cisco Patches 9 Flaws in Email Security Appliance

Related Reading: Hackers Can Hijack Dell Email Security Appliances

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

In an already troubled year for Symantec, the company reported another major vulnerability in three of its enterprise security products.

Found in the IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products, the flaw is a dynamic link library (DLL) loading issue that can be exploited in two different ways. First, an "authorized, but nonprivileged" user could execute malicious DLL code in place of the authorized DLL code. The second way to exploit this DLL code flaw is for outside attackers to trick an authorized user to click on an email link that would download the malicious code. "Ultimately, this problem is caused by a failure to use an absolute path when loading DLLs during product boot up/reboot," Symantec said in its security advisory.

While DLL code vulnerabilities are common and thought to be a lesser threat to enterprises, Symantec rated this vulnerability as high severity. Symantec has not reported any actual exploitation of this vulnerability and has already released product upgrades that will fix the issue for all three products.

However, the discovery of this flaw, listed as CVE-2016-6590, is the latest in a growing line of Symantec security product vulnerabilities found this year. While the DLL flaw was unearthed by Himanshu Mehta, senior threat analysis engineer at Symantec, the three prior batches of flaws were reported by Google Project Zero's Tavis Ormandy.

The previous flaws include an easily exploitable one in the core scanning engine used in most Symantec and Norton antivirus products, as well as a vulnerability -- found just weeks after the first -- caused by unpatched, third-party open source software that was said to be "as bad as it gets" by Ormandy. The most recent set of Symantec bugs were in the file parser component of its antivirus decomposer engine.

In its vulnerability report for the DLL flaw, Symantec recommended several best practices for users of the affected products to reduce the threat, including restricting access to administrative or management systems to authorized privileged users, implementing the principle of least privilege and restricting remote access to only authorized systems.

In other news:

  • A gamer seeking revenge might be responsible for the Oct. 21 attack on domain name system  provider Dyn that shut down parts of the internet. In his testimony for a House Energy and Commerce Committee hearing, Level 3 Communications Inc. CSO Dale Drew said the attack was likely the work of a single individual who was specifically targeting the PlayStation Network. "We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge," Drew said. The attack used the Mirai malware to launch a distributed denial-of-service attack and gain control over more than 150,000 internet-of-things devices and overwhelm Dyn's sytems, which interrupted service to major websites, such as Twitter, Reddit and Netflix.
  • United States Director of National Intelligence James Clapper submitted his letter of resignation on Nov. 16. Clapper oversees 17 different agencies, including the CIA, FBI and National Security Agency, and he is the lead intelligence adviser to President Barack Obama. Clapper -- who is 75 years old and has held the position for six years -- announced his decision to resign in a Congressional hearing, and the Office of the DNI confirmed it on Twitter the following morning. Clapper was a central figure in the debate over government surveillance following the Edward Snowden revelations. He received criticism from lawmakers, security experts and privacy advocates for testifying before Congress in 2013 about the NSA's spying programs, claiming the agency did not engage in bulk data collection on millions of Americans. Clapper's resignation goes into effect at noon on Jan. 20, 2017.
  • Gavin Andresen, chief scientist at the Bitcoin Foundation, has regrets about getting involved in Craig Wright's attempts to prove he created the digital currency bitcoin. Andresen backed Wright's claim to be the mysterious Satoshi Nakamoto -- which he has failed to prove on multiple occasions -- and even defended Wright after his claims were debunked. Andresen has kept a relatively low profile since Wright's last failure six months ago, but posted a brief statement on his blog on Nov. 16. "So, either he was or he wasn't," Andresen wrote on whether or not Wright is Satoshi. "In either case, we should ignore him. I regret ever getting involved in the 'who was Satoshi' game, and am going to spend my time on more fun and productive pursuits."
  • The ransomware known as Crysis suffered a blow Nov. 13, when the master decryption keys were made available to the public after being posted on BleepingComputer forums. Crysis first surfaced in February 2016 when ESET researchers found it was filling in for the receding TeslaCrypt ransomware. According to ESET's report, Crysis is able to "encrypt files on fixed, removable and network drives. It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time." This ransomware was spread primarily through attachments to spam emails, but now its victims have an opportunity to recover what they've lost. The decryption keys -- posted by a BleepingComputer user known only as crss7777 -- cover Crysis versions 2 and 3, and Kaspersky Lab has already added them to the Rakhni decryptor.

Next Steps

Learn more about the critical Symantec vulnerabilities found this year

Find out how bad all these vulnerabilities are for Symantec

Discover more about the Mirai IoT botnet attacks

Dig Deeper on Enterprise Vulnerability Management

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

A firmware update released by Siemens this month for some of its industrial network security products fixes a vulnerability that could expose potentially sensitive information.

The affected products are SCALANCE M-800 industrial routers, which are used to secure remote access to plants via mobile networks, and SCALANCE S615 firewalls, which ensure the protection of trusted industrial networks from untrusted networks.

SCALANCE M-800 and S615 modules running firmware versions prior to 4.02 are plagued by a vulnerability that could allow a man-in-the-middle (MitM) attacker to obtain web session cookies.

Siemens and ICS-CERT explained in their advisories that the flaw exists because the integrated web server delivers session cookies without the secure flag. Web browsers are designed to prevent the transmission of a cookie over an unencrypted channel if the secure flag is set.

 ICS Cyber Security Conference

The vulnerability, identified as CVE-2016-7090, is considered a medium severity issue. The security hole can be exploited remotely, but ICS-CERT believes it’s not easy to create a working exploit for it.

Siemens has advised customers to update the firmware on SCALANCE M-800 and S615 products to version 4.02. The company has credited Alexander Van Maele and Tijl Deneut from HOWEST for finding the weakness.

In the past years, ICS-CERT published nearly a dozen advisories describing SCALANCE vulnerabilities. A total of five issues were resolved by the vendor since January 2015, the most serious of them being a couple of DoS flaws and an improper authentication bug disclosed in early 2015.

The number and severity of vulnerabilities found recently in SCALANCE routers is much lower compared to a few years ago. In 2013, Siemens and external researchers identified nearly a dozen high impact issues in this product line.

Related: Learn More at the ICS Cyber Security Conference

Related: Siemens Fixes Several Flaws in SIPROTEC Products

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Shellshock anniversary

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Shellshock 2

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Shellshock 3

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

Shellshock 4

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Shellshock 5

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the white paper “Beware of Older Cyber Attacks.”

Read the White Paper to learn more about older attacks


Security Intelligence

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm


Threatpost | The first stop for security news

The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

BENIGNCERTAIN

CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests.

“The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session,” the company explained.

The flaw affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could allow unauthenticated, remote attackers to retrieve memory contents. This could result in the attackers extracting the decryption keys, and using them to decrypt the encrypted traffic that passes through the affected device.

“An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports,” they added. “This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected. Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

The vulnerability also exists in some Cisco PIX firewalls, which have not been supported since 2009.

If you’re using a Cisco device that runs one of the aforementioned software, check out the security advisory to see whether the version you’re running is vulnerable, and check back often to see when Cisco will provide a software update to address it.

Cisco pointed out there are no workarounds for addressing the flaw, and noted that its Product Security Incident Response Team is “aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms.”

Until a security update is provided, administrators of affected devices are advised to keep a close eye on them and to implement intrusion prevention and/or detection systems to spot exploitation attempts.

“Cisco IPS Signatures 7699-0 and Snort SIDs 40220(1), 40221(1), 40222(1) can detect attempts to exploit this vulnerability,” the company concluded.


Help Net Security

Mistakes made in the implementation of proxy authentication in a variety of operating systems and applications have resulted in security vulnerabilities that allow MitM attackers to effectively hijack HTTPS sessions, security researcher Jerry Decime has discovered.

crack HTTPS protection

It has been confirmed that the flaw – dubbed FalseCONNECT – affects products by Apple, Microsoft, Opera and Oracle. Lenovo says that their products are not vulnerable, but other vendors who have been notified of the flaw’s existence are yet to comment on this issue.

“Web browsers and operating systems making a HTTPS request via a proxy server are vulnerable to man-in-the-middle (MITM) attacks against HTTP CONNECT requests and proxy response messages. HTTP CONNECT requests are made in clear text over HTTP, meaning an attacker in the position to modify proxy traffic may force the use of 407 Proxy Authentication Required responses to phish for credentials,” Carnegie Mellon University’s CERT/CC has explained.

“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.”

Decime set up a dedicated website to share technical details about the flaw and how it affects various products, and has started with Apple’s iOS and OS X. The vulnerability impacts WebKit, so any iOS or OS X application that uses WebKit when using proxies is also vulnerable (iTunes, Google Drive, Safari, etc.).

He says that all users that use proxies – with or without their knowledge – may be impacted by this vulnerability. This includes users whose company requires the use of proxies to connect to the Internet.

“Are you a government employee or police officer? Many government agencies and corporations utilize proxies for network optimization and as a layer of protection for their users. You might not even know you’re vulnerable if you’ve installed a proxy auto configuration (PAC) file from a WiFi hotspot or have employer controlled device management software on your iPhone, iPad, Android device, Chromebook, Mac, or PC which configures a proxy for you,” he noted, adding that Windows users are likely also affected as Microsoft enabled automatic proxy configuration by default.

“Are you a human rights, political, or privacy advocate, or someone who chose to use a VPN provider in conjunction with a privacy proxy for that added bit of safety? You might be impacted,” he also pointed out.

“Your secure communications could have been intercepted or tampered with by anyone exploiting this vulnerability via a WiFi evil-twin network or OpenLTE based cellular communications interception solution. Nation state actors with access to Stingray devices and nation level networking gateways could have exploited the FalseCONNECT vulnerabilities.”

Exploitation of the flaws requires the attacker to already have a MitM position on the network which targeted users are a part of. The really bad news is that most if not all victims won’t notice the attack as, for as far as they can see, there is no indication that the connection isn’t secure.

Until more vendors come up with fixes (Apple already has), users are advised to avoid using proxy-configured clients while connected to untrusted networks, and to disable proxy configuration settings if they don’t need them.


Help Net Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Microsoft Mistakenly Leaks Secure Boot Key

August 11, 2016 , 11:31 am

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

NIST Recommends SMS Two-Factor Authentication Deprecation

July 27, 2016 , 12:57 pm

New CryptXXX Can Evade Detection, Outsmart Decryption Tools

June 27, 2016 , 11:24 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am


Threatpost | The first stop for security news

Taiwan-based networking equipment manufacturer D-Link has released firmware updates for several of its DIR model routers to address a serious vulnerability discovered by a researcher.

The flaw, identified by Daniel Romero, is a stack-based buffer overflow in a function responsible for validating session cookies. The affected function is used by a service that could be exposed to the WAN network on port 8181. A remote or a local attacker may be able to exploit the vulnerability for arbitrary code execution.

The security hole, tracked as CVE-2016-5681, has been confirmed to impact the following D-Link routers: DIR-850L B1, DIR-822 A1, DIR-823 A1, DIR-895L A1, DIR-890L A1, DIR-885L A1, DIR-880L A1, DIR-868L B1, DIR-868L C1, DIR-817L(W) and DIR-818L(W).

The CERT Coordination Center (CERT/CC) has assigned this vulnerability a CVSS score of 9.3, which puts it in the “critical impact” category.

D-Link said in an advisory that it has released firmware updates for most of the affected router models, except DIR-817 Rev. Ax and DIR-818L Rev. Bx. Patches for these devices will be made available by the end of August.

Since D-Link home and small business routers are highly popular, they are often analyzed by security researchers. The company released firmware updates for several of its products last year, but not all vulnerabilities were patched properly on the first try.

Routers are not the only products found to be vulnerable to hacker attacks. In June, IoT security startup Senrio revealed that it had found a serious flaw in a popular D-Link Wi-Fi camera. After a detailed analysis of the issue, the vendor discovered that the bug affects more than 120 of its products, including access points, modems, routers, connected home products and storage solutions.

Related Reading: Flaws in Ruckus Access Points Expose Organizations to Attacks

Related Reading: D-Link Accidentally Publishes Private Keys Online

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed