Month: June 2015
There is a privilege-escalation vulnerability in several versions of Ubuntu that results from the fact that the operating system fails to check permissions when users are creating files in some specific circumstances.
Security researcher Philip Pettersson discovered the vulnerability and reported it to Canonical, which maintains Ubuntu. The company has patched the bug, which is present in versions 12.04, 14.04, 14.10, and 15.04. If a local attacker is able to exploit the vulnerability he could get a root shell on a target machine. The vulnerability itself lies in the overlayfs component of Ubuntu, a file system that is designed to be a writeable filesystem in cases where an underlying one is read-only.
“The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04,” the advisory from Pettersson says.
Pettersson has developed and published a proof-of-concept exploit for the Ubuntu vulnerability that gives the user a root shell. He said an attacker also would have the ability to list the contents of any directory on the machine, regardless of the permissions.
“The ovl_copy_up_* functions do not correctly check that the user has permission to write files to the upperdir directory. The only permissions that are checked is if the owner of the file that is being modified has permission to write to the upperdir. Furthermore, when a file is copied from the lowerdir the file metadata is carbon copied, instead of attributes such as owner being changed to the user that triggered the copy_up_* procedures,” the advisory says.
The patch for this vulnerability, CVE-2015-1328, caused a problem with version 12.04 of Ubuntu.
“The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic,” a separate Ubuntu advisory says.
The type of coverage a vulnerability receives on social media often correlates to that threat’s level of risk, reveals a recent report.
This is just one of the findings of the 2015 State of Vulnerability Risk Management, a study issued earlier this month by NopSec Labs, a data science and research company that specializes in analyzing malware, exploit, vulnerability and other cyber threat risk patterns.
NopSec Labs published the report, which analyzes some 65,000 vulnerabilities stored in the National Vulnerability Database over the past 20 years, as well as a subset of more than 21,000 of those vulnerabilities identified across customers in all industries in order to evaluate the current state of vulnerability risk management across multiple industries.
Three notable takeways of the report included:
- SaaS providers have the highest number of vulnerabilities per asset.
- Cloud/IT companies have the lowest average remediation time.
- The exposure a vulnerability receives on social media often corresponds to its level of risk and severity rating.
These observations reflect Gemalto’s finding that over a billion records were compromised by data breaches in 2014. NopSec explains that many of these breaches were caused by unmitigated vulnerabilities. Despite advances in detection technologies, these types of risks continue to proliferate due to a host of challenges, including a lack of data and labor-intensive tasks.
It is worth exploring each takeaway in greater detail:
SAAS PROVIDERS HAVE THE HIGHEST NUMBER OF VULNERABILITIES PER ASSET
NopSec’s report reveals that Security-as-a-Service (SaaS) providers have the highest number of vulnerabilities per asset at 18 unique risks. This is followed by six in the financial sector, three in healthcare, and two in education.
When it comes to top vendors, Microsoft outranks all others in vulnerability count across all industries. This is no surprise in the financial sector given its widespread implementation on workstations and servers. Oracle, Sun, Adobe, and Red Hat are also represented in this particular industry.
Regarding the healthcare, education, and cloud/IT industries, open-source technologies, including OpenBSD, Apache, and Red Hat, are among the most vulnerable platforms.
CLOUD/IT COMPANIES HAVE THE LOWEST AVERAGE REMEDIATION TIME
Another finding of the 2015 State of Vulnerability Risk Management report is the significant variability in industry remediation time, here defined as the time that elapses between opening and closing a vulnerability ticket. Cloud providers have the lowest average remediation rate at 50 days, with healthcare companies taking nearly twice as long (an average of 97 days) to remediate its vulnerabilities. Meanwhile, the financial and education sectors have the highest remediation times at both 176 days.
Further analysis reveals even more striking differences. For example, it takes between one and six months to remediate more than a third (36%) of the financial industry’s vulnerabilities, with close to another third (32%) of that same sector’s risks remaining active for more than a year. In the healthcare industry, nearly all (96%) of vulnerabilities are remediated within six months, whereas the education sector takes between one and 12 months to address the sum total of its network risks. Meanwhile, 95% of risks uncovered by the cloud/IT industry receive attention within one month. This is important given NopSec’s finding that cloud and IT companies discover the greatest number of vulnerabilities per asset.
A VULNERABILITY’S EXPOSURE ON SOCIAL MEDIA OFTEN CORRESPONDS TO ITS LEVEL OF RISK AND SEVERITY RATING
Finally, NopSec’s study suggests that there is a correlation between a vulnerability’s security risk and the number of mentions it receives on social media. On average, vulnerabilities used in a targeted malware campaign received 115 tweets. This is significantly higher than the social media coverage witnessed by exploitable (15 tweets) and other (5 tweets) vulnerabilities.
The report also reveals a relationship between social media and a vulnerability’s Common Vulnerability Scoring System (CVSS) score. A direct correlation was not observed, but a clear trend was nonetheless evident, especially with regards to bugs like Heartbleed and Shellshock.
This is in contrast to the direct correlation observed between a vulnerability’s severity rating and its social media exposure. “Critical” vulnerabilities received an average of 748 tweets, which dwarfed the coverage received by vulnerabilities labeled “high” (89 tweets), “medium” (8 tweets), and “low” (3 tweets).
As 2015 State of Vulnerability Risk Management illustrates, while the cloud/IT sector is able to quickly remediate the vast majority of its risks, the same cannot be said about the financial, healthcare, and education industries. Companies in these sectors would therefore benefit from investing in technologies that provide data context if and when the appropriate resources become available. These solutions would assist IT teams in prioritizing security risks and in ultimately lowering their organizations’ average remediation time.
A trio of vulnerabilities were recently patched in eBay’s Magento e-commerce web application that could have let attackers carry out a handful of exploits, including phishing, session hijacking, and data interception.
Hadji Samir, a researcher at the firm Vulnerability Lab dug up the problems earlier this year but it wasn’t until this week that they were disclosed, along with proof of concept logs and videos.
Perhaps the most troublesome issue fixed in the platform was a persistent filename vulnerability. A remote attacker could have injected their own script code into the application-side of the affected service module. This could have resulted in session hijacking, persistent phishing, persistent external redirects, along with “persistent manipulation of affected or connected module context,” according to the vulnerability disclosure.
A video that demonstrates the bug shows an attacker logging into Magento, creating a new message, and starting a session tamper to intercept session data. From there they can change the filename to a malicious payload of their choosing.
Samir also found a cross-site scripting (XSS) bug in the platform that could have made it easy for an attacker to remotely inject their own script code into the application-side of the vulnerable online-service module. This could have opened client side accounts up to theft by hijacking, client-side phishing, client-side external redirects and like the other bug, non-persistent manipulation of affected or connected service modules.
The last bug, a cross site request forgery (CSRF) vulnerability, could have allowed “unauthorized client-side application functions without secure validation or session token protection mechanism.” Basically an attacker could have intercepted user sessions and deleted their internal Magento messages without authorization.
Samir found the XSS bug in February and the other two March but Magento’s Developer Team held off until May to patch the issues. They were then publicly disclosed by Vulnerability Lab on Monday, Tuesday, and Wednesday, this week.
Earlier this year developers fixed a remote code execution bug in the platform dug up by Check Point that could have exposed customers’ credit card information, along with other personal data.
Web stores running on Magento, purchased from eBay in 2011, make up about 30 percent of the eCommerce market.
The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week.
The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself.
Security consultant Paul Moore, who brought the issue to our attention, told El Reg that the issue presented “minimal risk depending on how payload reaches the site, but could damage reputation/financial wellbeing of firms with fake CVEs”.
Moore put together a proof-of-concept YouTube video, demonstrating the flaw. XSS and SQL Injection regularly top the charts as the most common classes of web development security slip-ups.
In response to a request for comment from El Reg, a representative from NIST (National Institute of Standards and Technology – the organisation that runs the NVD site) said that the problem has been fixed:
The National Vulnerability Database (NVD) had an issue where it did not properly sanitise input received from NVD and partner systems. The issue has since been resolved and the Common Vulnerabilities and Exposures (CVEs) now display correctly.
Microsoft’s website dedicated to fighting the US government on matters of policy and surveillance has been hacked.
The site, which was launched in mid-2013 months after the Edward Snowden revelations were first published, soon became a platform for Microsoft’s corporate views on government surveillance and a new case dedicated to fighting an international search warrant.
But the site appears to have been modified around 9:15pm ET on Wednesday, and remains affected at the time of publication.
It’s not clear who is behind the attack.
At the very top of the site appears to be injected text with keywords, typically used to garner greater search engine hits, including keywords like “casino”, “blackjack”, and “roulette.” Some new pages have beeninjected to show content that embeds content from other casino-related websites. The rest of the site’s content appears to be intact.
The site’s code suggests it is running WordPress 4.0.5, an older version of the popular blogging software released in early May. The latest WordPress version is currently at 4.2.2.
Based on the kind of content injected into the site, it does not appear to be a cyberattack claimed by any particular group or hacker — more likely a scammer who’s able to exploit a weakness in an older version of the site’s software.
Within an hour of the attack, some of the content had been removed, but some buried pages remained.
We reached out to Microsoft but did not immediately hear back. We’ll update the piece once we hear back.
Six university researchers have revealed deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s keychain, break app sandboxes and bypass its App Store security checks so that attackers can steal passwords from any installed app including the native email client without being detected.
The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome.
Lead researcher Luyi Xing told El Reg he and his team complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing.
They say the holes are still present in the Apple platforms meaning their work will likely be consumed by attackers looking to weaponise the work.
Apple was not immediately available for comment.
The Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang, and Kai Chen, joined Tongxin Li of Peking University and Xiaojing Liao of Georgia Institute of Technology to develop the research detailed in the paper Unauthorized Cross-App Resource Access on MAC OS X and iOS.
“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” Xing told The Register’s security desk.
“Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.
“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults.
Photos were stolen from WeChat and the token for popular cloud service Evernote nabbed allowing it to be fully compromised.
“The consequences are dire,” the team wrote in the paper.
Some 88.6 percent of 1612 Mac and 200 iOS apps were found “completely exposed” to unauthorised cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data.
Xing says he reported the flaws to Apple in October 2014.
Apple security officers responded in emails seen by El Reg expressing understanding for the gravity of the attacks and asking for a six month extension and in February requesting an advanced copy of the research paper before it was made public.
Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level.
AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware “work harder” some four months after disclosure.
The team’s work into XARA attacks is the first of its kind for Apple’s app isolation mechanisms designed to stop malicious apps from raiding each other. They found “security-critical vulnerabilities” including cross-app resource-sharing mechanisms and communications channels such as keychain, WebSocket and Scheme.
“Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense,” the researchers wrote in the paper.
They say almost all XARA flaws arise from Apple’s cross-app resource sharing and communication mechanisms such as keychain for sharing passwords, BID based separation, and URL scheme for app invocation, which is different from how the Android system works.
Their research, previously restricted to Android, would lead to a new line of work for the security community studying how the vulnerabilities affect Apple and other platforms.
Here’s the boffins’ description of their work:
“Our study brings to light a series of unexpected, security-critical aws that can be exploited to circumvent Apple’s isolation protection and its App Store’s security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.
Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.”
If you use LastPass to store all your passwords, you may want to change your master password. Users’ vaults containing their passwords for myriad accounts across the web are safe, but email addresses, password reminders and the code that could reveal master passwords may have been taken, according to a post from LastPass.
All users logging in from a new device or IP address will be asked verify their accounts via email unless they have multifactor authentication enabled. Those with multifactor authentication are likely safe from any breach into their password vault. LastPass will also require all users to change their password.
While the company asked users to wait to change passwords until asked, it appears the password reset system is currently overwhelmed.
This might not be the first time LastPass has been breached. In 2011, the site noticed an anomaly in data traffic that may have been the result of leaked passwords. Venture Beat also points out a Google security alert page posted to Imgur three weeks ago that may be related to the hack.
This should serve as a reminder that multifactor authentication should always be used. It’s available for most sites, including Facebook, Twitter and many banks and email accounts.
LastPass was also vulnerable because it provided storage for all passwords in the cloud. Some other password vault programs don’t store any password information on their servers, allowing users to sync data through other services and requiring hackers to access both the cloud-storage account and the master password for the vault. We’ve recommended 1Password before, but KeePass also provides a more secure (if less convenient) option.