Surveillance products from Moxa and Vanderbilt are affected by several critical and high severity flaws that can be exploited by remote hackers to take control of vulnerable systems.

Moxa SoftCMS vulnerabilities

ICS-CERT has published an advisory describing three serious vulnerabilities affecting Moxa SoftCMS, a central management software designed for large-scale surveillance systems. Gu Ziqiang from Huawei Weiran Labs and Zhou Yu have been credited for finding the security holes.

The most severe of the flaws, with a CVSS score of 9.8, is a SQL injection (CVE-2016-9333) that can be exploited by a remote attacker to access SoftCMS with administrator privileges.

Another flaw, tracked as CVE-2016-8360, is a double free condition that allows an attacker to cause a denial-of-service (DoS) and possibly even execute arbitrary code.

The third vulnerability (CVE-2016-9332) has been described by ICS-CERT as an “improper input validation” issue that can lead to a crash of the application.

ICS-CERT said in its advisory that Moxa patched these security holes with the release of SoftCMS 1.6 on November 10, but the vendor’s release notes show that the latest version only addresses the SQL Injection issue.

A different SQL injection, also discovered by Zhou Yu, was patched by Moxa in its SoftCMS software a couple of months ago with the release of version 1.5. Versions 1.3 and 1.4, released last year, also fixed potentially serious flaws found by security researchers.

Vulnerabilities in Siemens-branded Vanderbilt CCTV cameras

Siemens and ICS-CERT informed users that several Siemens-branded Vanderbilt IP cameras are affected by a vulnerability (CVE-2016-9155) that allows an attacker with network access to obtain administrative credentials using specially crafted requests. Updates have been released by Vanderbilt for each of the affected products.

Vanderbilt Industries completed the acquisition of Siemens’ security products business in June 2015. Since the affected CCTV cameras are Siemens-branded products, the German engineering giant has published a security advisory on its own website.

Related: Flaws Found in Moxa Industrial Ethernet Products

Related: Privilege Escalation Flaw Affects Several Siemens Products

Related: Flaws Found in Moxa Factory Automation Products

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Cisco has released software updates for its WebEx Meetings Server product to address a couple of critical and high severity vulnerabilities that can be exploited remotely for arbitrary command execution and denial-of-service (DoS) attacks.

The critical flaw, tracked as CVE-2016-1482, is caused by insufficient sanitization of user-supplied data. An attacker can exploit it to execute arbitrary commands with elevated privileges by injecting the commands into existing application scripts running on a targeted device located in a DMZ (demilitarized) zone.

The high severity issue, identified as CVE-2016-1483, allows an unauthenticated attacker to cause a targeted device to enter a DoS condition by repeatedly attempting to access a specific service.

Both vulnerabilities affect WebEx Meetings Server version 2.6 and they have been addressed with the release of version 2.7. Cisco says it’s unaware of any instances where these flaws have been exploited for malicious purposes.

This is the second time Cisco updates its WebEx products in recent weeks to address serious vulnerabilities. The company recently patched critical and medium severity flaws in the WebEx Meetings Player.

Earlier this month, Cisco informed customers that a high severity vulnerability in its ACE30 Application Control Engine module and ACE 4700 series Application Control Engine appliances can be exploited for DoS attacks.

The company updated its initial advisory on Thursday to say that the issue will be resolved with the release of version A5(3.5), which is only expected to become available by November 30. What makes this vulnerability interesting is the fact that while it hasn’t been exploited for malicious purposes, it was triggered in some cases by a research project that scans the Internet for SSL/TLS servers.

Related: Cisco Updates ASA Software to Address NSA-Linked Exploit

Related: Cisco Patches Critical Flaws in Firepower Management Center

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Alongside Microsoft and Adobe, SAP released this week its monthly security updates to address a total of 19 vulnerabilities, including three high severity issues.

The September 2016 Patch Day fixes include 11 security notes, 3 updates to previous notes, and 5 support package notes. Three of the flaws they resolve have been rated “high,” while the rest are considered “medium.”

Many of the vulnerabilities are missing authorization checks, which is one of the most common type of problems found in SAP products, but the patches also address information disclosure, denial-of-service (DoS), cross-site scripting (XSS) and SQL injection issues.

According to ERPScan, a company that specializes in protecting SAP and Oracle business-critical enterprise resource planning (ERP) systems, two of the three most severe vulnerabilities affect SAP Adaptive Server Enterprise (ASE), a relational model database management product.

The security holes are SQL injection flaws that allow attackers to execute specially crafted SQL queries.

“[ASE] stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers,” ERPScan wrote in a blog post.

“Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute,” the company explained.

The third most serious issue patched this month is a DoS vulnerability affecting the SAP Business Objects BI Launchpad product.

A report published by ERPScan last month revealed that, through June 2016, SAP had issued more than 3,660 security notes and support package notes to address thousands of vulnerabilities.

Security firm Onapsis reported that some of these vulnerabilities affected more than 10,000 of SAP’s customers. In May, Onapsis warned that up to 36 global businesses had been hacked through a SAP product flaw that was patched five years ago.

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: SAP Patches Critical Clickjacking Vulnerabilities

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Xen Project patches serious virtual machine escape flaws

The Xen Project mascot.


The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

[ Doing storage virtualization correctly is not simple. InfoWorld's expert contributors show you how to get it right in this "Storage Virtualization Deep Dive" PDF guide. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies like Linode, which had to reboot some of its servers over the past few days to apply the new patches.

The Xen updates, which were shared with partners in advance, were released publicly Thursday along with accompanying security advisories.

One vulnerability identified as CVE-2016-7093 affects Hardware Virtual Machines (HVMs) which use hardware-assisted virtualization. It allows an administrator of a guest OS to escalate their privilege to that of the host.

The vulnerability affects Xen versions 4.7.0 and later, as well as Xen releases 4.6.3 and 4.5.3 but only those deployments with HVM guests running on x86 hardware.

Another privilege escalation flaw identified as CVE-2016-7092 affects the other type of virtual machines supported by Xen: paravirtualized (PV) VMs. The vulnerability affects all Xen versions and allows administrators of 32-bit PV guests to gain privileges on the host.

The two other patched vulnerabilities, CVE-2016-7154 and CVE-2016-7094, can be exploited by guest administrators to cause denial-of-service conditions on the host. In the case of CVE-2016-7154, which only affects Xen 4.4, remote code execution and privilege escalation cannot be excluded, the Xen Project said in an advisory.

Meanwhile, CVE-2016-7094 affects all versions of Xen but only deployments hosting HVM guests on x86 hardware that are configured to run with shadow paging.