Products

  • info
  • discussion
  • exploit
  • solution
  • references
Multiple Huawei Products CVE-2016-8768 Local Privilege Escalation

Bugtraq ID: 93885
Class: Design Error
CVE: CVE-2016-8768
Remote: No
Local: Yes
Published: Oct 26 2016 12:00AM
Updated: Nov 25 2016 02:04PM
Credit: Zhao Jianqiang, Chen Gengjia, Wang Qize, Zhu Bin and Pan Yu.
Vulnerable: Huawei Honor 7 6.9
Huawei Honor 6 Plus 6.9
Huawei Honor 6 6.9
Not Vulnerable: Huawei Honor 7 6.9.16
Huawei Honor 6 Plus 6.9.16
Huawei Honor 6 6.9.16


SecurityFocus Vulnerabilities

Surveillance products from Moxa and Vanderbilt are affected by several critical and high severity flaws that can be exploited by remote hackers to take control of vulnerable systems.

Moxa SoftCMS vulnerabilities

ICS-CERT has published an advisory describing three serious vulnerabilities affecting Moxa SoftCMS, a central management software designed for large-scale surveillance systems. Gu Ziqiang from Huawei Weiran Labs and Zhou Yu have been credited for finding the security holes.

The most severe of the flaws, with a CVSS score of 9.8, is a SQL injection (CVE-2016-9333) that can be exploited by a remote attacker to access SoftCMS with administrator privileges.

Another flaw, tracked as CVE-2016-8360, is a double free condition that allows an attacker to cause a denial-of-service (DoS) and possibly even execute arbitrary code.

The third vulnerability (CVE-2016-9332) has been described by ICS-CERT as an “improper input validation” issue that can lead to a crash of the application.

ICS-CERT said in its advisory that Moxa patched these security holes with the release of SoftCMS 1.6 on November 10, but the vendor’s release notes show that the latest version only addresses the SQL Injection issue.

A different SQL injection, also discovered by Zhou Yu, was patched by Moxa in its SoftCMS software a couple of months ago with the release of version 1.5. Versions 1.3 and 1.4, released last year, also fixed potentially serious flaws found by security researchers.

Vulnerabilities in Siemens-branded Vanderbilt CCTV cameras

Siemens and ICS-CERT informed users that several Siemens-branded Vanderbilt IP cameras are affected by a vulnerability (CVE-2016-9155) that allows an attacker with network access to obtain administrative credentials using specially crafted requests. Updates have been released by Vanderbilt for each of the affected products.

Vanderbilt Industries completed the acquisition of Siemens’ security products business in June 2015. Since the affected CCTV cameras are Siemens-branded products, the German engineering giant has published a security advisory on its own website.

Related: Flaws Found in Moxa Industrial Ethernet Products

Related: Privilege Escalation Flaw Affects Several Siemens Products

Related: Flaws Found in Moxa Factory Automation Products

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The only surprise in this week's announcement that BlackBerry is getting out of the hardware business is that it took this long. CEO John Chen has been hinting broadly for two years that this would happen, and the parade of unsuccessful Android smartphones that followed the parade of unsuccessful BlackBerry 10 OS smartphones pointed in only one direction: the death of hardware.

But BlackBerry was and is not simply a hardware company. Chen has spent considerable effort to transform it into a software company focused mainly on mobile security tools, but also a little on communications tools. Today, BlackBerry has a grab bag of technologies it's acquired to stake out that software claim.

[ InfoWorld's deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | InfoWorld's Mobile Security Deep Dive: Download it today in your choice of PDF or ePub editions! ]

Here's which ones should matter to you and which ones shouldn't.

Good Secure EMM suites

IT has long known and used BlackBerry Enterprise Server (BES), which was renamed BlackBerry Enterprise Service when it was expanded to support iOS and Android in 2012 through the 2011 acquisition of Ubitexx. BES is now a component in the Good Secure EMM Suites, for which most of its components were obtained through another acquisition: Good Technology, in 2015.

Good is the sole significant survivor of the original, pre-iPhone enterprise mobility management (EMM) providers. Today, newcomers like MobileIron and AirWatch (bought by VMware a few years back) dominate the market, and Microsoft is trying to muscle in with its Enterprise Management Service product suite.

Like MobileIron and AirWatch, Good's suites support iOS, Android, Windows 10, and MacOS for what's called omnidevice management. Good also provides the option of wrapping custom applications with its proprietary APIs via the Good Dynamics tools to add security features not natively supported by the iOS and Android APIs; MobileIron and AirWatch offer similar mobile management extensions. And like MobileIron and AirWatch, the Good suites tie into identity management systems -- an essential connection for users entrusted with sensitive corporate data and workflows on both mobile and desktop devices.

Good has a long history in IT, and it remains a real contender for your EMM platform, especially if you've already invested in its tools.

WatchDox

There's a lot of noise lately around document management on mobile devices. Microsoft has one approach for Office 365, Apple has one for e-books in iOS, and every cloud storage vendor has tools to manage document access across devices.

WatchDox, purchased by BlackBerry in 2015, takes a heavy-handed approach, adding digital rights management to files to ensure they can be read and edited only by authorized users. That makes sense for truly critical documents, but it means your people are restricted to using only WatchDox apps for that content -- which may or may not make sense for specific documents and workflows.

WorkLife

Part of the Good product set BlackBerry acquired, this split-billing component tracks cellular data usage by Good Dynamics apps. Ostensibly, it helps IT manage cellular data costs in BYOD scenarios, but in practice, it does not.

That's because users work with many other off-the-shelf apps that don't call the proprietary Dynamics APIs, so their data usage isn't tracked. Besides, if you provide a fixed reimbursement for work use of BYOD items, there's no need to track cellular data for each person to figure out the relative billing balance.

AtHoc

Based on a 2015 acquisition, the AtHoc platform lets you manage crisis communications, such as sending automated messages to staff and others in case of a natural disaster, an unexpected building closure, a mass shooting, or even a meeting delay. AtHoc has no strong relationship to other BlackBerry services, so any decision around its use need not factor other BlackBerry relationships.

Secure messaging: SecuSmart and BBM Secure

BlackBerry bought SecuSmart in 2014 to offer encryption-secured calls and text messaging for Android and iOS smartphones. This was back when former NSA contractor Edward Snowden revealed the U.S. government was snooping on foreign leaders' calls, and governments started seeking a way to block the NSA.

SecuSmart works only on smartphones. Its text-messaging encryption is tied to a mobile phone number, so tablet-based messaging is protected only if it goes through a protected smartphone, such as if an iPad user is using Handoff to text via his or her iPhone.

BlackBerry also offers BBM Secure, which protects text messages on Android and iOS smartphones via the BlackBerry Messenger app. Its capabilities are similar to those of SecuSmart, and it's unclear why BlackBerry offers both options.

Again, note the limitation to smartphones. If you want to secure text messaging across all user devices, look elsewhere.

BlackBerry Messenger

Available for Android and iOS devices for several years now, BBM sought to take advantage of the popularity of the BlackBerry phone's beloved messaging service. It works OK, but if you have multiple devices, it's a pain to use because only one device can be active at a time -- not a restriction on the many other messaging apps available today. Plus, there's no desktop client.

If your concern is privacy, I'd go with Snowden's recommended Signal app instead, from Open Whisper Systems. If you want a great messaging app across all popular devices with good support for voice, text, and video, Signal fits the bill nicely, too.

Dtek for Android

Available for a small number of Android devices, Dtek lets users see what data various apps are monitoring and manage the permissions for each app. That sounds great, until you realize Android Marshmallow (and Nougat) does that natively, with no app needed. In iOS, of course, Apple has long provided this visibility and the controls over apps' use of your data.

BlackBerry Hub for Android

One of the few features in the BlackBerry 10 OS that users liked, the Hub is a central communications zone so that you don't have to switch among apps to handle your various communications channels. I found it overwhelming, but many others really like the Hub.

It's available for Android Marshmallow and later devices; an iOS version is supposedly in the works. BlackBerry Hub is certainly worth a try if you like the idea of a communications hub on your mobile device.

Miscellaneous Android apps

BlackBerry has made some features from its Priv and Dtek Android phones available to other Android devices (not to iOS). If you're the kind of person who likes to use a third-party app rather than the native clients, check them out at the Google Play Store (search for "BlackBerry").

In addition to the Dtek, BBM, and Hub apps already mentioned, the apps compatible with many Android devices include BlackBerry Contacts, BlackBerry Calendar, Tasks by BlackBerry, Notes by BlackBerry, BlackBerry Password Keeper, and BlackBerry Device Search.

Your guess is good as mine as to how long BlackBerry will continue to develop and support these apps.


InfoWorld Security

A firmware update released by Siemens this month for some of its industrial network security products fixes a vulnerability that could expose potentially sensitive information.

The affected products are SCALANCE M-800 industrial routers, which are used to secure remote access to plants via mobile networks, and SCALANCE S615 firewalls, which ensure the protection of trusted industrial networks from untrusted networks.

SCALANCE M-800 and S615 modules running firmware versions prior to 4.02 are plagued by a vulnerability that could allow a man-in-the-middle (MitM) attacker to obtain web session cookies.

Siemens and ICS-CERT explained in their advisories that the flaw exists because the integrated web server delivers session cookies without the secure flag. Web browsers are designed to prevent the transmission of a cookie over an unencrypted channel if the secure flag is set.

 ICS Cyber Security Conference

The vulnerability, identified as CVE-2016-7090, is considered a medium severity issue. The security hole can be exploited remotely, but ICS-CERT believes it’s not easy to create a working exploit for it.

Siemens has advised customers to update the firmware on SCALANCE M-800 and S615 products to version 4.02. The company has credited Alexander Van Maele and Tijl Deneut from HOWEST for finding the weakness.

In the past years, ICS-CERT published nearly a dozen advisories describing SCALANCE vulnerabilities. A total of five issues were resolved by the vendor since January 2015, the most serious of them being a couple of DoS flaws and an improper authentication bug disclosed in early 2015.

The number and severity of vulnerabilities found recently in SCALANCE routers is much lower compared to a few years ago. In 2013, Siemens and external researchers identified nearly a dozen high impact issues in this product line.

Related: Learn More at the ICS Cyber Security Conference

Related: Siemens Fixes Several Flaws in SIPROTEC Products

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Vulnerable: IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Spectrum Control 5.2.11
IBM Spectrum Control 5.2.10
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1


SecurityFocus Vulnerabilities

Vulnerable: IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1


SecurityFocus Vulnerabilities

Vulnerable: IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Spectrum Control 5.2.11
IBM Spectrum Control 5.2.10
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1


SecurityFocus Vulnerabilities

Bugtraq ID: 92962 Class: Boundary Condition Error CVE: CVE-2016-8276 Remote: Yes Local: No Published: Sep 14 2016 12:00AM Updated: Sep 19 2016 02:00PM Credit: The vendor reported this issue. Vulnerable: Huawei USG5500 V300R001C10
Huawei USG5500 V300R001C00
Huawei USG5100 V300R001C10
Huawei USG5100 V300R001C00
Huawei USG2200 V300R001C10
Huawei USG2200 V300R001C00
Huawei USG2100 V300R001C10
Huawei USG2100 V300R001C00 Not Vulnerable: Huawei USG5500 V300R001C10SPC600
Huawei USG5100 V300R001C10SPC600
Huawei USG2200 V300R001C10SPC600
Huawei USG2100 V300R001C10SPC600


SecurityFocus Vulnerabilities

This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.

Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.

Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.

Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.

Twitter: @UrbaneSec @zfasel @SecBarbie


DEF CON Announcements!

  • info
  • discussion
  • exploit
  • solution
  • references
Multiple VMware Workstation Products CVE-2016-7085 DLL Loading Remote Code Execution Vulnerability

Bugtraq ID: 92940
Class: Design Error
CVE: CVE-2016-7085
Remote: Yes
Local: No
Published: Sep 13 2016 12:00AM
Updated: Sep 13 2016 12:00AM
Credit: Stefan Kantha, Anand Bhat, and Himanshu Mehta.
Vulnerable: VMWare Workstation Pro 12.1.1
VMWare Workstation Pro 12.1
VMWare Workstation Player 12.1.1
VMWare Workstation Player 12.1
Not Vulnerable: VMWare Workstation Pro 12.5.0
VMWare Workstation Player 12.5


SecurityFocus Vulnerabilities