secfeeds_vulnheadlines

VU#693036: Datalex airline booking software allowed authorization bypass for arbitrary users

CERT — Wed, 30 Sep 2015 22:29:19 +0000

Vulnerability Note VU#693036

Datalex airline booking software allowed authorization bypass for arbitrary users

Original Release date: 30 Sep 2015 | Last revised: 30 Sep 2015

Overview

Datalex provides a suite of software offerings for the airline industry which supports a customizable flight browsing, booking, payment, and analytics. The Datalex airline booking software contained an error in its error handling routines which allows authorization bypass and loss of confidentiality for arbitrary users.

Description

CWE-639: Authorization Bypass Through User-Controlled Key - CVE-2015-2858

By modifying HTTP POST parameters, an attacker may cause the Datalex application to return null values when querying data from the database. The application error handling enters a failed state due to the null value, allowing an attacker to hijack an account of choice through modification of the profileId parameter via a POST action to ValidateFormAction.do and ProfileConfirmEditAddressAction.do.

Impact

This vulnerability may have resulted in complete loss of confidentiality of all user data, as well as allow unauthenticated remote users the ability to modify arbitrary user data. The full impact may depend on server settings, which may vary between individual instances of the Datalex software suite.

Solution

Updated applied already, no action required

Datalex has confirmed this issue and has worked with all affected airlines to update their software. According to Datalex, all affected airlines have deployed the update as of September 3rd, 2015.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Datalex	Affected	11 May 2015	03 Jun 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.8	AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal	6.4	E:F/RL:OF/RC:C
Environmental	6.4	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/639.html

Credit

Thanks to the reporter who wishes to remain anonymous. Thanks to Datalex for working quickly with us and affected vendors to address the issue.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2858
Date Public: 30 Sep 2015
Date First Published: 30 Sep 2015
Date Last Updated: 30 Sep 2015
Document Revision: 59

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-099 - Critical: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3089664) - Version: 3.0

Wed, 30 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V3.0 (September 30, 2015): Revised bulletin to announce the availability of an update package for Microsoft Office 2016. Customers running Microsoft Office 2016 should apply the 2910993 update to be protected from the vulnerabilities discussed in this bulletin. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-097 - Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Version: 2.0

Wed, 30 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.0 (September 30, 2015): Revised bulletin to announce the availability of an update package for Skype for Business 2016. Customers running Skype for Business 2016 should apply the 2910994 update to be protected from the vulnerabilities discussed in this bulletin. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

MS15-092 - Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251) - Version: 1.2

Fri, 25 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.2 (September 25, 2015): Added a footnote to the Affected Software table to inform customers that Windows Server Technical Preview 2 is affected. Customers running this operating system are encouraged to apply the update, which is available via Windows Update.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

MS15-101 - Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3089662) - Version: 1.1

Fri, 25 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (September 25, 2015): Removed Windows Server Technical Preview 3 from the Affected Software table footnote because it is not affected by the vulnerabilities described in this security bulletin. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

VU#804060: Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

CERT — Thu, 24 Sep 2015 14:36:20 +0000

Vulnerability Note VU#804060

Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

Original Release date: 24 Sep 2015 | Last revised: 24 Sep 2015

Overview

RFC 6265 (previously RFC 2965) established HTTP State Management, also known as "cookies". In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information.

Description

HTTP cookies have long been known to lead to potential security issues when managing HTTP state. For example, in RFC 6265, Section 8.6:

Cookies do not provide integrity guarantees for sibling domains (and their subdomains). For example, consider foo.example.com and bar.example.com. The foo.example.com server can set a cookie with a Domain attribute of "example.com" (possibly overwriting an existing "example.com" cookie set by bar.example.com), and the user agent will include that cookie in HTTP requests to bar.example.com. In the worst case, bar.example.com will be unable to distinguish this cookie from a cookie it set itself. The foo.example.com server might be able to leverage this ability to mount an attack against bar.example.com.

as well as in RFC 6265, Section 8.5:

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server.

...

Cookies do not provide isolation by scheme. Although most commonly used with the http and https schemes, the cookies for a given host might also be available to other schemes, such as ftp and gopher.

According to the researchers:

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-midddle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections.

Since RFC 6265 does not specify any mechanism to provide isolation and integrity guarantees, web browser implementations do not always authenticate the domain setting a cookie. A malicious attacker can utilize this to set a cookie that is later used via an HTTPS connection instead of the cookie set by the actual site; for example, an attacker may set cookies for example.com that override the real cookie for www.example.com when the victim is loading HTTPS content. By exploiting other weaknesses in the server, the attacker-controlled cookie may be used to obtain private information. Note that typical Same Origin Policy (RFC 6454) does not apply to cookies and so does not mitigate this attack.

For more details on how an HTTPS session may be compromised by this attack, please see the research paper by Zheng, et. al., published at USENIX Security 2015.

Some web browser vendors have noted previous attempts at more secure cookie management have been foiled due to the lack of a widely implemented standard.

The IETF HTTP State Management Mechanism (httpstate) Working Group that drafted RFC 6265 was concluded in April 2011.

Impact

A remote attacker may be able to obtain private information from a victim's HTTPS session.

Solution

A complete solution may include future updates to RFC 6265 and/or RFC 6454 to enable safer handling of cookies via an updated same origin policy for cookies.

However, the following workarounds help mitigate this issue:

Deploy HSTS on top-level domain

According to the researchers, website operators should deploy HSTS (RFC 6797) on the top-level domain they control, and utilize the includeSubDomains option. This partially mitigates the attacker's ability to set top-level cookies that may override subdomain cookies.

In general, website operators following best practices for secure website deployment will partially mitigate this attack.

Upgrade your browser

Ensure you are using the latest version of your browser of choice so you have full HSTS support. In particular, if using Internet Explorer, please update to IE 11 or later. HSTS support was added to IE11 in June 2015.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Apple	Affected	19 May 2015	31 Aug 2015
Google	Affected	19 May 2015	31 Aug 2015
Microsoft Corporation	Affected	19 May 2015	16 Sep 2015
Mozilla	Affected	19 May 2015	31 Aug 2015
Opera	Affected	19 May 2015	16 Sep 2015
Vivaldi	Affected	17 Aug 2015	16 Sep 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.8	E:POC/RL:W/RC:C
Environmental	5.8	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jian Jiang, Nicholas Weaver, et. al., for disclosing this vulnerability at USENIX Security 2015.

This document was written by Garret Wassermann.

Other Information

CVE IDs: Unknown
Date Public: 13 Aug 2015
Date First Published: 24 Sep 2015
Date Last Updated: 24 Sep 2015
Document Revision: 82

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-098 - Critical: Vulnerabilities in Windows Journal Could Allow Remote Code Execution (3089669) - Version: 1.1

Wed, 23 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (September 23, 2015): Bulletin revised to correct the severity and impact for CVE-2015-2514. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

VU#374092: Web Reference Database (refbase) contains multiple vulnerabilities

CERT — Mon, 21 Sep 2015 20:45:20 +0000

Vulnerability Note VU#374092

Web Reference Database (refbase) contains multiple vulnerabilities

Original Release date: 21 Sep 2015 | Last revised: 21 Sep 2015

Overview

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

Description

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-6007

The application does not employ cross-site request forgery protection (CSRF) mechanisms, such as CSRF tokens.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2015-6008

The install.php file is vulnerable to command injection attacks via the adminPassword POST parameter. An attacker can also pass malicious remote file paths to the pathToMYSQL and databaseStructureFile POST parameters. Assuming the target system is able to access those remote paths, it will execute them within the context of the server application's user.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6009

The install.php file is vulnerable to SQL Injection via the defaultCharacterSet POST parameter.

The rss.php file is vulnerable to SQL Injection via the where GET parameter.

The search.php file is vulnerable to SQL Injection via the sqlQuery GET parameter.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-6010

The install.php file is vulnerable to reflected cross-site scripting (XSS) attacks via the adminUserName, pathToMYSQL, databaseStructureFile, and pathToBibutils POST parameters.

The error.php file is vulnerable to reflected XSS attacks via the errorNo and errorMsg GET parameters.

The duplicate_manager.php file is vulnerable to a reflected XSS attack via the viewType GET parameter.

The query_manager.php file contains multiple reflected XSS vulnerabilities. When the customQuery GET parameter is set to "1", the queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, and showRows GET parameters are all vulnerable to reflected XSS attacks. When customQuery is not provided or set to "1", only the queryID GET parameter is vulnerable. It should be noted that while the query_manager.php file is only accessible by authenticated users, the lack of CSRF protections could still enable unauthenticated attackers to exploit these XSS vulnerabilities.

The import.php file is vulnerable to reflected XSS attacks via the sourceText and sourceIDs POST variables.

The update.php file is vulnerable to reflected XSS attacks via the adminUserName POST parameter.

The application is vulnerable to stored XSS attacks through the modify.php file's typeName and fileName POST parameters. When rendered by the search.php and advanced_search.php pages, the injected Javascript in these stored values will not be safely escaped.

CWE-91: XML Injection (aka Blind XPath Injection) - CVE-2015-6011

Arbitrary XML can be injected via the unapi.php file's id GET parameter, as well as the sru.php file's stylesheet GET parameter.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-6012

Multiple pages are vulnerable to open redirection attacks by passing a referrer GET parameter with a malicious URL as its value in the request.

The CVSS score reflects CVE-2015-6008.

Impact

A remote, unauthenticated attacker could submit valid requests to the server on behalf of authenticated users, execute arbitrary scripts in the context of a victim's browser, directly read, write, and modify arbitrary data in the application's database, redirect victims to malicious web addresses, and execute arbitrary code on the server.

Solution

The refbase maintainers have not published a new release at this time. However, they have committed fixes for some of these issues to the bleeding-edge SVN branch. To apply these fixes, users can download the latest repository snapshot.

The SQL Injection vulnerabilities in rss.php and search.php have not yet been fixed. According to the project maintainers, the vulnerabilities in install.php and update.php will not be fixed (see workaround below).

For users who cannot upgrade at this time or do not wish to use an unofficial release of this software, please consider using the following workarounds:

Manually remove install.php and update.php

The install.php and update.php files are administrative files for installing and updating the application. When they are not needed, project maintainers suggest manually removing these vulnerable files from production deployments of the application.

Restrict access

Restrict access to the application to trusted users and networks.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Web Reference Database	Affected	05 Jan 2015	15 Sep 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.4	E:POC/RL:W/RC:C
Environmental	1.7	CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Mohab Ali for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2015-6007 CVE-2015-6008 CVE-2015-6009 CVE-2015-6010 CVE-2015-6011 CVE-2015-6012
Date Public: 21 Sep 2015
Date First Published: 21 Sep 2015
Date Last Updated: 21 Sep 2015
Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Vuln: Symantec Endpoint Protection Manager CVE-2015-1487 Arbitrary File Write Vulnerability

Thu, 17 Sep 2015 00:00:00 +0000

Symantec Endpoint Protection Manager CVE-2015-1487 Arbitrary File Write Vulnerability

Vuln: Linux Kernel 'perf_callchain_user_64()' Function Denial of Service Vulnerability

Thu, 17 Sep 2015 00:00:00 +0000

Linux Kernel 'perf_callchain_user_64()' Function Denial of Service Vulnerability

Vuln: Adobe Flash Player and AIR APSB15-19 Multiple Use After Free Remote Code Execution Vulnerabilities

Thu, 17 Sep 2015 00:00:00 +0000

Adobe Flash Player and AIR APSB15-19 Multiple Use After Free Remote Code Execution Vulnerabilities

Vuln: Adobe FlashPlayer and AIR APSB15-19 Type Confusion Multiple Remote Code Execution Vulnerabilities

Thu, 17 Sep 2015 00:00:00 +0000

Adobe FlashPlayer and AIR APSB15-19 Type Confusion Multiple Remote Code Execution Vulnerabilities

MS15-104 - Important: Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege (3089952) - Version: 1.1

Fri, 11 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (September 11, 2015): Bulletin revised to update the prerequisite detail in the Update FAQ section. This is an informational change only. Customers who have already successfully installed the updates do not need to take any action.
Summary: This security update resolves vulnerabilities in Skype for Business Server and Microsoft Lync Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL. An attacker would have to convince users to click a link in an instant messenger or email message that directs them to an affected website by way of a specially crafted URL.

VU#906576: Securifi Almond routers contains multiple vulnerabilities

CERT — Thu, 10 Sep 2015 13:17:21 +0000

Vulnerability Note VU#906576

Securifi Almond routers contains multiple vulnerabilities

Original Release date: 10 Sep 2015 | Last revised: 15 Sep 2015

Overview

Securifi Almond, firmware version AL1-R200-L302-W33 and earlier, and Securifi Almond 2015, firmware version AL2-R088 and earlier, contain multiple vulnerabilities.

Description

CWE-330: Use of Insufficiently Random Values - CVE-2015-2914

Securifi Almond and Almond 2015 use static source ports for all DNS queries originating from the local area network (LAN). Additionally, DNS queries originating from the Almond itself, such as those to resolve the name of the firmware update server, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause Almond LAN clients to contact incorrect or malicious hosts under the attacker's control.

CWE-319: Cleartext Transmission of Sensitive Information

Securifi uses HTTP by default for checking and transmitting firmware update information to Almond products. An attacker capable of conducting man-in-the-middle attacks can manipulate traffic to block updates or inject arbitrary files.

Note that as of August 24, 2015, Securifi has changed its firmware upgrade servers to use HTTPS.

CWE-255: Credentials Management - CVE-2015-2915

Securifi Almond uses a default password of admin for the admin account. A local area network attacker can gain privileged access to the web management interface or leverage default credentials in remote attacks such as cross-site request forgery.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2916

Securifi Almond and Almond 2015 contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in combination with default credentials, an attacker can establish an active session as part of an attack and therefore would not require a victim to be logged in.

CWE-20: Improper Input Validation - CVE-2015-2917

The Securifi Almond and Almond 2015 web management interfaces do not enforce the same-origin policy in X-Frame-Options response headers. An attacker can conduct clickjacking attacks via a specially crafted web page.

The CVSS score below applies to CVE-2015-2916.

Impact

A remote, unauthenticated attacker may be able to spoof DNS responses to cause Almond LAN clients to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request.

Solution

Apply an update

Securifi has released firmware versions to address these vulnerabilities. Almond users should upgrade to AL1-R201EXP10-L304-W34 or later. Almond 2015 users should upgrade to AL2-R088M or later.

Note that the firmware updates mitigate the CSRF and clickjacking vulnerabilities by disabling the web management interface. Users may still enable web management from the Almond touch screen controls, but doing so will render their devices vulnerable. The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.

Limit usage of web management

Users should disable the web management interface if there is no immediate need to use it. When disabling the interface is not an option, users should implement strong password protection, and never leave the web management interface open and logged in while browsing other web sites.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Securifi	Affected	09 Jul 2015	24 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.8	E:POC/RL:W/RC:C
Environmental	4.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

These vulnerabilities were reported by Joel Land of the CERT/CC.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2914 CVE-2015-2915 CVE-2015-2916 CVE-2015-2917
Date Public: 10 Sep 2015
Date First Published: 10 Sep 2015
Date Last Updated: 15 Sep 2015
Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#549807: Impero Education Pro classroom management software vulnerable to remote code execution

CERT — Wed, 09 Sep 2015 12:54:20 +0000

Vulnerability Note VU#549807

Impero Education Pro classroom management software vulnerable to remote code execution

Original Release date: 09 Sep 2015 | Last revised: 10 Sep 2015

Overview

Impero Software Education Pro classroom management software is vulnerable to remote code execution via improper encryption and authentication mechanisms.

Description

CWE-321: Use of Hard-coded Cryptographic Key

CWE-329: Not Using a Random IV with CBC Mode - CVE-2015-5997

According to the reporter, Impero uses a custom encryption protocol derived from AES-128 CBC. However, the AES implementation uses a hard-coded encryption key and initialization vector that are both derived from the SHA512 of the string "Imp3ro". Use of these hard-coded encryption values common to all instances of Impero allows an attacker to decrypt packets.

CWE-287: Improper Authentication - CVE-2015-5998

According to the reporter, authentication is performed only by sending the message "-1|AUTHENTICATE\x02PASSWORD". As this message may be spoofed once the encryption method is known, this authentication method is insufficient properly perform authentication.

Once authentication is gained, the attacker may execute Impero commands. These Impero commands include the ability to run programs with SYSTEM privileges, which an attacker may be able to use to remotely execute code.

According to Impero Software, Impero 5008 and below are vulnerable.

Impact

A remote unauthenticated attacker may be able to execute commands on the machine running Impero.

Solution

Apply an update

Impero has released Impero 5105 to address this issue. Affected users are encouraged to update to Impero 5105 or later as soon as possible. Affected users may contact Impero Software support for more information and to obtain the update.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Impero	Affected	29 Jul 2015	01 Sep 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	7.8	E:POC/RL:OF/RC:C
Environmental	5.9	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

None

Credit

Thanks to slipstream/RoL for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-5997 CVE-2015-5998
Date Public: 14 Jul 2015
Date First Published: 09 Sep 2015
Date Last Updated: 10 Sep 2015
Document Revision: 61

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-103 - Important: Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content.

MS15-105 - Important: Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass (3091287) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to improperly check configuration settings. Customers who have not enabled the Hyper-V role are not affected.

MS15-096 - Important: Vulnerability in Active Directory Service Could Allow Denial of Service (3072595) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

MS15-094 - Critical: Cumulative Security Update for Internet Explorer (3089548) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-102 - Important: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

MS15-083 - Important: Vulnerability in Server Message Block Could Allow Remote Code Execution (3073921) - Version: 2.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V2.0 (September 8, 2015): To comprehensively address CVE-2015-2472, Microsoft re-released security update 3073921 for affected editions of Windows Vista and Windows Server 2008. Customers running Windows Vista or Windows Server 2008 who previously installed the update should reinstall the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3073921 for more information.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted string to the SMB server error logging.

MS15-100 - Important: Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-080 - Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662) - Version: 2.1

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.1 (September 8, 2015): Revised bulletin to add an Update FAQ that explains why customers running Office 2010 on Windows Vista and later versions of Windows are not being offered the 3054846 update.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

MS15-095 - Critical: Cumulative Security Update for Microsoft Edge (3089665) - Version: 1.0

Tue, 08 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (September 8, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

VU#845332: OrientDB and Studio prior to version 2.1.1 contain multiple vulnerabilities

CERT — Thu, 03 Sep 2015 19:31:18 +0000

Vulnerability Note VU#845332

OrientDB and Studio prior to version 2.1.1 contain multiple vulnerabilities

Original Release date: 03 Sep 2015 | Last revised: 03 Sep 2015

Overview

Studio for OrientDB Server Community Edition version prior to version 2.1.1 contains several vulnerabilities.

Description

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2912

The Studio web interface to OrientDB contains a CSRF vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

The version of Studio bundled with OrientDB Community Edition version 2.0.3 has been reported as vulnerable. Other versions prior to version 2.0.15 and 2.1.1 may also be vulnerable.

CWE-330: Use of Insufficiently Random Values - CVE-2015-2913

OrientDB prior to version 2.1.0 utilizes the Java library java.util.Random for Session IDs. However, this class is not random enough for security-related use. An attacker may be able to use this value to determine the internal state of the random number generator and predict future values.

CWE-20: Improper Input Validation - CVE-2015-2918

OrientDB Studio web management interface does not by default enforce the same-origin policy in X-Frame-Options response headers. An attacker can conduct clickjacking attacks via a crafted web page.

Impact

An unauthenticated remote attacker may perform actions with the same permissions of a victim user. An authenticated user may be able to gain administrative privileges to the database by manipulating the Session ID.

Solution

Apply an update

OrientDB has released versions 2.0.15 and 2.1.1 to address CVE-2015-2912 and CVE-2015-2913.

Affected users are encouraged to update as soon as possible.

The update addresses CVE-2015-2912 by disabling JSONP by default. Consider your threat model, mitigations, and needs before re-enabling this functionality.

CVE-2015-2913 is addressed by using java.security.SecureRandom to generate random numbers.

Set HTTP additional X-Frame-Options header

Setting the additional X-Frame-Options header prevents clickjacking attacks (CVE-2015-2918). To enable this, use the following command line argument when starting the server: -Dnetwork.http.additionalResponseHeaders="X-FRAME-OPTIONS: DENY"

or add this value to the server's orientdb-server-config.xml file.

Alternately, you may consider the following workarounds:

Disable OrientDB Studio

Consider disabling Studio if it is not required. Disabling Studio prevents these issues from being accessible.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Orient Technologies	Affected	10 Jun 2015	18 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.0	AV:N/AC:M/Au:S/C:P/I:P/A:P
Temporal	5.1	E:POC/RL:U/RC:UR
Environmental	3.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Raffaela Frank for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2912 CVE-2015-2913 CVE-2015-2918
Date Public: 31 Aug 2015
Date First Published: 03 Sep 2015
Date Last Updated: 03 Sep 2015
Document Revision: 48

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#630872: Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities

CERT — Thu, 03 Sep 2015 17:05:18 +0000

Vulnerability Note VU#630872

Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities

Original Release date: 03 Sep 2015 | Last revised: 03 Sep 2015

Overview

Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N, firmware version 5.07.50 and possibly earlier, uses non-unique default credentials and is vulnerable to universal authentication bypass and cross-site request forgery (CSRF).

Description

CWE-255: Credentials Management - CVE-2015-5994

Medialink MWN-WAPR300N by default uses the common admin:admin credentials for the web management interface and uses medialink:password for the wireless network. An attacker within range of a wireless network using default settings can connect and gain privileged access to the web management interface. Additionally, default credentials can be leveraged in remote attacks such as cross-site request forgery.

CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision - CVE-2015-5995

Authorization in the Medialink MWN-WAPR300N is handled by checking the HTTP Cookie header that is sent by the client. An unauthenticated, local area network (LAN) attacker can modify the cookie header of a request to "Cookie: language-en; admin:language-en" and gain admin access to restricted pages of the web management interface without any knowledge of credentials. This authentication bypass works regardless of whether the administrator account username has been changed from 'admin.'

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5996

Medialink MWN-WAPR300N routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in combination with default credentials, an attacker can establish an active session as part of an attack and does not require a victim to be logged in.

The CVSS score below describes CVE-2015-5996.

Impact

A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request. A LAN-based attacker can bypass authentication to take complete control of a vulnerable device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Until these vulnerabilities are addressed, users should consider the following workarounds.

Restrict access and use strong passwords

As a general good security practice, only allow trusted hosts to connect to the LAN. Implement strong passwords for WiFi and for the web management interface. While passwords do not provide any additional security against LAN-based attackers due to the authentication bypass vulnerability, passwords can help to prevent blind guessing attempts that would establish sessions for CSRF attacks. LAN hosts should not browse the Internet while the web management interface has an active session in a browser tab.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Mediabridge	Affected	01 Jul 2015	02 Sep 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	6.1	E:POC/RL:U/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

These vulnerabilities were reported by Joel Land of the CERT/CC.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-5994 CVE-2015-5995 CVE-2015-5996
Date Public: 03 Sep 2015
Date First Published: 03 Sep 2015
Date Last Updated: 03 Sep 2015
Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-081 - Critical: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3080790) - Version: 2.0

Wed, 02 Sep 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.0 (September 2, 2015): Bulletin revised to announce that the 3039798 update for Microsoft Office 2013 RT Service Pack 1 is available via Windows Update.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

VU#903500: Seagate and LaCie wireless storage products contain multiple vulnerabilities

CERT — Tue, 01 Sep 2015 13:36:20 +0000

Vulnerability Note VU#903500

Seagate and LaCie wireless storage products contain multiple vulnerabilities

Original Release date: 01 Sep 2015 | Last revised: 10 Sep 2015

Overview

Multiple Seagate wireless storage products contain multiple vulnerabilities.

Description

CWE-798: Use of Hard-coded Credentials - CVE-2015-2874

Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password.

CWE-425: Direct Request ('Forced Browsing') - CVE-2015-2875

Under a default configuration, some Seagate wireless storage products provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2015-2876

Under a default configuration, some Seagate wireless storage products provides a file upload capability to anonymous attackers with wireless access to the device's /media/sda2 filesystem. This filesystem is reserved for file-sharing.

These vulnerabilities were confirmed by the reporter as existing in firmware versions 2.2.0.005 and 2.3.0.014, dating to October 2014. Other firmware versions may be affected.

The following devices are impacted by this issue:

Seagate Wireless Plus Mobile Storage
Seagate Wireless Mobile Storage
LaCie FUEL (note that LaCie is a subsidiary of Seagate since 2012)

Impact

A remote unauthenticated attacker may access arbitrary files on the storage device, or gain root access to the device.

Solution

Update the firmware
Seagate has released firmware 3.4.1.105 to address these issues in all affected devices. Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from Seagate's website. Seagate encourages any customer encountering issues to contact customer service at 1-800-SEAGATE.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
LaCie	Affected	-	08 Sep 2015
Seagate Technology LLC	Affected	-	07 Sep 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.7	AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal	6.0	E:POC/RL:OF/RC:C
Environmental	4.5	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for reporting this vulnerability to us. Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2874 CVE-2015-2875 CVE-2015-2876
Date Public: 01 Sep 2015
Date First Published: 01 Sep 2015
Date Last Updated: 10 Sep 2015
Document Revision: 60

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#361684: Router devices do not implement sufficient UPnP authentication and security

CERT — Mon, 31 Aug 2015 21:27:18 +0000

Vulnerability Note VU#361684

Router devices do not implement sufficient UPnP authentication and security

Original Release date: 31 Aug 2015 | Last revised: 31 Aug 2015

Overview

Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.

Description

The UPnP protocol allows automatic device discovery and interaction with devices on a network. The UPnP protocol was originally designed with the threat model of being on a private network (not available to the WAN) restricted to only authorized users, and therefore does not by default implement authentication. Later efforts developed a UPnP Security standard, but according to UPnP Forum's Device Protection standard documentation, "support and deployment of this standard has been extremely limited", due to cumbersome user experience and lack of industry buy-in of advanced features such as Public Key Infrastructure (PKI).

According to the reporter, poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router's configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers' use of standardized UPnP Control URL names.

Some vendors have reported that their devices randomize the UUID in the Control URL, making guessing the correct URL much more difficult, but many vendors have not taken this action. For more information, see the Vendor Information section below. It is currently unclear how widespread the deployment of UPnP security standards is in these devices.

One possible method of gaining enough access to the private network to utilize UPnP is through a DNS Rebinding attack, which is well-known in the security community. Previously, it has been reported that Flash may be utilized to gain control of UPnP.

The reporter has more information on this issue at http://www.filet-o-firewall.com.

Impact

An attacker able to gain access to the private network by enticing a user to visit a specially-crafted web page may be able to silently open ports in a user's firewall or perform other administrative actions on the gateway router.

Solution

The CERT/CC is currently unaware of a full solution to this problem. However, the following workarounds may help mitigate risks.

Do not follow unknown links

Exercise caution when following links to URLs you do not recognize.

Disable UPnP

Consider disabling UPnP services on your home network. Some users may require UPnP services on their network; if so, users must exercise judgment and weigh risks versus rewards of operating such a network. When purchasing networking equipment, consider devices that have implemented the latest UPnP standards and security.

Furthermore, if you are a developer or manufacturer of devices using UPnP, consider the following:

Randomize the UUID in the control URL

Randomizing appropriate UPnP UUIDs and URLs may help mitigate brute force attacks, but likely is not a full solution.

Implement latest UPnP standards

Consider implementing the latest UPnP standards such as Device Protection in order to provide better security to devices utilizing UPnP.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
ACCESS	Unknown	14 Jul 2015	14 Jul 2015
Alcatel-Lucent	Unknown	14 Jul 2015	14 Jul 2015
AT&T	Unknown	14 Jul 2015	14 Jul 2015
Avaya, Inc.	Unknown	14 Jul 2015	14 Jul 2015
Belkin, Inc.	Unknown	14 Jul 2015	14 Jul 2015
Check Point Software Technologies	Unknown	14 Jul 2015	14 Jul 2015
Cisco	Unknown	14 Jul 2015	14 Jul 2015
D-Link Systems, Inc.	Unknown	14 Jul 2015	14 Jul 2015
Extreme Networks	Unknown	14 Jul 2015	14 Jul 2015
F5 Networks, Inc.	Unknown	14 Jul 2015	14 Jul 2015
Force10 Networks	Unknown	14 Jul 2015	14 Jul 2015
Google	Unknown	19 Jun 2015	19 Jun 2015
Hitachi	Unknown	14 Jul 2015	14 Jul 2015
Huawei Technologies	Unknown	14 Jul 2015	14 Jul 2015
IBM Corporation	Unknown	14 Jul 2015	14 Jul 2015

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal	3.7	E:POC/RL:U/RC:UR
Environmental	3.7	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Grant Harrelson for reporting this issue to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: Unknown
Date Public: 31 Aug 2015
Date First Published: 31 Aug 2015
Date Last Updated: 31 Aug 2015
Document Revision: 76

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#525276: Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities

CERT — Mon, 31 Aug 2015 18:39:18 +0000

Vulnerability Note VU#525276

Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities

Original Release date: 31 Aug 2015 | Last revised: 31 Aug 2015

Overview

The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contains multiple vulnerabilities.

Description

PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991

The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device's network settings.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992

The form2WlanSetup.cgi page contains an "ssid" parameter which is vulnerable to cross-site scripting.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-5993

The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter "ipaddr" with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.

CWE-798: Use of Hard-coded Credentials

Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576.

The CVSS score below is based on CVE-2015-5991.

Impact

A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Philippine Long Distance Telephone	Affected	02 Jun 2015	28 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.4	AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal	6.3	E:POC/RL:U/RC:UR
Environmental	4.7	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

None

Credit

Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-5991 CVE-2015-5992 CVE-2015-5993
Date Public: 31 Aug 2015
Date First Published: 31 Aug 2015
Date Last Updated: 31 Aug 2015
Document Revision: 47

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#201168: Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities

CERT — Mon, 31 Aug 2015 14:04:18 +0000

Vulnerability Note VU#201168

Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities

Original Release date: 31 Aug 2015 | Last revised: 01 Sep 2015

Overview

Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier, contains multiple vulnerabilities.

Description

CWE-330: Use of Insufficiently Random Values - CVE-2015-5987

DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control.

CWE-319: Cleartext Transmission of Sensitive Information

Belkin uses HTTP by default for checking and transmitting firmware update information to vulnerable routers. An attacker capable of conducting man-in-the-middle attacks can manipulate traffic to block updates or inject arbitrary files.

CWE-255: Credentials Management - CVE-2015-5988

Belkin N600 by default does not set a password for the web management interface. A local area network (LAN) attacker can gain privileged access to the web management interface or leverage the default absence of credentials in remote attacks such as cross-site request forgery.

CWE-603: Use of Client-Side Authentication - CVE-2015-5989

When a password is implemented in the Belkin N600 web management interface, authorization is enforced client-side by the browser. By intercepting packets from the embedded server containing the strings "LockStatus": "1" and "Login_Success": "0" and modifying the values to "2" and "1" respectively, an attacker can bypass authentication and gain full, privileged access to restricted pages of the web management interface.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5990

Belkin N600 routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in default configurations lacking password protection, an attacker can establish an active session as part of an attack and does not require a victim to be logged in.

The CVSS score below describes CVE-2015-5990.

Impact

A remote, unauthenticated attacker may be able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request. A LAN-based attacker can bypass authentication to take complete control of vulnerable devices.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Until these vulnerabilities are addressed, users should consider the following workarounds.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Belkin, Inc.	Affected	17 Jul 2015	25 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	6.1	E:POC/RL:U/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

These vulnerabilities were reported by Joel Land of the CERT/CC.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-5987 CVE-2015-5988 CVE-2015-5989 CVE-2015-5990
Date Public: 31 Aug 2015
Date First Published: 31 Aug 2015
Date Last Updated: 01 Sep 2015
Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TA15-240A: Controlling Outbound DNS Access

Fri, 28 Aug 2015 17:31:53 +0000

Original release date: August 28, 2015 | Last revised: August 30, 2015

Systems Affected

Networked systems

Overview

US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to outbound DNS queries and responses.

Description

Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a security risk and may introduce inefficiencies to an organization.

Impact

Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the enterprise’s administrative control for DNS resolution. Internal enterprise systems should only be permitted to initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems and applications to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the organization, which include:

Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for detecting potential malicious network activity.
Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow clients to access malicious domains that would otherwise be blocked.
Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the domain requested (e.g., the client is sent to a phishing site or served malicious code).
Lost protections against DNS cache poisoning and denial-of-service attacks. The mitigating effects of a tiered or hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such attacks are lost.
Reduced Internet browsing speed since enterprise DNS caching would not be utilized.

Solution

Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS security best practices.

Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution.
Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers).
- Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections.
Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS resolvers. [1]

References

[1] Secure Domain Name System (DNS) Deployment Guide

Revision History

August 28, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

VU#950576: DSL routers contain hard-coded "XXXXairocon" credentials

CERT — Tue, 25 Aug 2015 15:30:18 +0000

Vulnerability Note VU#950576

DSL routers contain hard-coded "XXXXairocon" credentials

Original Release date: 25 Aug 2015 | Last revised: 27 Aug 2015

Overview

DSL routers by ASUS, DIGICOM, Observa Telecom, Philippine Long Distance Telephone (PLDT), and ZTE contain hard-coded "XXXXairocon" credentials

Description

CWE-798: Use of Hard-coded Credentials

DSL routers, including the ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is "admin," in the PLDT devices, the user name is "adminpldt," and in all affected devices, the password is "XXXXairocon" where "XXXX" is the last four characters of the device's MAC address. The MAC address may be obtainable over SNMP with community string public.

The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.

Impact

A remote attacker may utilize these credentials to gain administrator access to the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround:

Restrict access

Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
AsusTek Computer Inc.	Affected	04 May 2015	25 Aug 2015
DIGICOM (HK)	Affected	-	25 Aug 2015
Observa Telecom	Affected	-	25 Aug 2015
Philippine Long Distance Telephone	Affected	02 Jun 2015	27 Aug 2015
ZTE Corporation	Affected	03 Dec 2013	25 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	8.0	E:POC/RL:U/RC:UR
Environmental	6.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Walter Mostosi for reporting the issue affecting ASUS devices, Naresh LamGarde for DIGICOM devices, and to Eskie Cirrus James Maquilang for PLDT devices. Thanks again to Cesar Neira for reporting the issue in ZTE devices, and to Jose Antonio Rodriguez Garcia for disclosing the Observa Telecom vulnerability to Full Disclosure.

This document was written by Joel Land and Garret Wassermann.

Other Information

CVE IDs: Unknown
Date Public: 25 Aug 2015
Date First Published: 25 Aug 2015
Date Last Updated: 27 Aug 2015
Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-067 - Critical: Vulnerability in RDP Could Allow Remote Code Execution (3073094) - Version: 1.1

Fri, 21 Aug 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (August 21, 2015): Improved the Update FAQ section and the footnote for the Affected Software table to help customers more easily identify the correct update to apply based on the currently installed version of RDP on Windows 7 systems. These are informational changes only. Customers who have already successfully applied the update do not need to take any action. Customers who have not already installed the necessary update should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

VU#276148: Dedicated Micros DVR products use plaintext protocols and require no password by default

CERT — Thu, 20 Aug 2015 14:36:19 +0000

Vulnerability Note VU#276148

Dedicated Micros DVR products use plaintext protocols and require no password by default

Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015

Overview

Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.

Description

CWE-311: Missing Encryption of Sensitive Data

Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers.

CWE-284: Improper Access Control - CVE-2015-2909

Dedicated Micros DVR products by default do not require authentication. End users may password-protect their devices but are not required to do so, resulting in devices that are open to unauthorized access and tampering.

Impact

A remote, unauthenticated attacker can view and manipulate sensitive data and take complete control of an unsecured device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.

Enable secure communications protocols

According to the vendor, "users can enable secure protocols such as HTTPS and SSH, and HTTP POST Upload over HTTPS if they wish."

Users are encouraged to contact the vendor for guidance in setting up secure protocols.

Use password protection

According to the vendor:

The system by default has no authentication on the HTTP, Telnet and FTP interfaces. Dedicated Micros do not provide a default username and password as these are not secure and instead advise users to set their own.The user is presented with clear warnings on the GUI that they should set usernames and passwords.

Users are encouraged to refer to individual device documentation or to contact the vendor for guidance in setting up authentication.

Enable security by default

Vendors should provide systems that are reasonably secure by default rather than dependent on end user configuration choices. Shodan results show that some Dedicated Micros devices are openly accessible on the Internet with no authentication. While it may be reasonable to argue that secure configuration options exist and that default passwords are insecure, more secure alternatives exist:

Enable secure protocols by default, or at least prompt users to enable them when external access is configured.
Implement unique default passwords, even if based on something deterministic like the MAC address.
Require users to change the password at setup.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Dedicated Micros	Affected	21 May 2015	17 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	8.5	E:POC/RL:W/RC:C
Environmental	6.4	CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Andrew Tierney for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2909
Date Public: 20 Aug 2015
Date First Published: 20 Aug 2015
Date Last Updated: 20 Aug 2015
Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-093 - Critical: Security Update for Internet Explorer (3088903) - Version: 1.1

Thu, 20 Aug 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (August 20, 2015): Bulletin revised to announce a detection change in the 3087985 update for Internet Explorer. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

VU#248692: Trend Micro Deep Discovery threat appliance contains multiple vulnerabilities

CERT — Tue, 18 Aug 2015 14:59:18 +0000

Vulnerability Note VU#248692

Trend Micro Deep Discovery threat appliance contains multiple vulnerabilities

Original Release date: 18 Aug 2015 | Last revised: 18 Aug 2015

Overview

Multiple versions of the Trend Micro Deep Discovery threat appliance are vulnerable to cross-site scripting and authentication bypass.

Description

The Trend Micro Deep Discovery platform "enables you to detect, analyze, and respond to today’s stealthy, targeted attacks in real time." It may be deployed on a network as an appliance. The Trend Micro Deep Discovery Threat Appliance version 3.7.1096 is vulnerable to cross-site scripting and authentication bypass.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-2872

The contentURL parameter of a request to index.html is not properly validated and vulnerable to reflected cross-site scripting.

CWE-425: Direct Request ('Forced Browsing') - CVE-2015-2873

Several URLs, including the system log, whitelist, and blacklist, are accessible to a non-administrator user by direct request. The pages do not properly check for authorization.

Trend Micro has released an advisory on these issues. The CVSS score below is based on CVE-2015-2873.

Impact

An authenticated user without administrator privileges may access and modify certain system configuration settings. An unauthenticated remote user may conduct cross-site scripting attacks.

Solution

Apply an update

Trend Micro has released updates to address this issue. Affected users are encouraged to update as soon as possible.

Affected versions are listed below with the patch number corresponding to the update (for example, if you use 3.8 English, update to 3.8.1263):

Affected Version (Version Number and Language)	Updated Patch Version (Versions prior to the one listed here may be affected)
3.8 English	3.8.1263 - Critical Patch B1263
3.8 Japanese	3.8.2047 - Critical Patch B2047
3.7 English	3.7.1248 - Critical Patch B1248
3.7 Japanese	3.7.1228 - Critical Patch B1228
3.7 Simplified Chinese	3.7.1227 - Critical Patch B1227
3.6 English	3.6.1217 - Critical Patch B1217
3.5 English	3.5.1477 - Critical Patch B1477
3.5 Japanese	3.5.1554 - Critical Patch B1544
3.5 Simplified Chinese	3.5.1433 - Critical Patch B1433

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Trend Micro	Affected	09 Jul 2015	07 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	5.5	AV:N/AC:L/Au:S/C:P/I:P/A:N
Temporal	4.1	E:POC/RL:OF/RC:UR
Environmental	3.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to John Page ("hyp3rlinx") for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2872 CVE-2015-2873
Date Public: 18 Aug 2015
Date First Published: 18 Aug 2015
Date Last Updated: 18 Aug 2015
Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#300820: Cisco Prime Infrastructure contains SUID root binaries

CERT — Mon, 17 Aug 2015 19:26:17 +0000

Vulnerability Note VU#300820

Cisco Prime Infrastructure contains SUID root binaries

Original Release date: 17 Aug 2015 | Last revised: 17 Aug 2015

Overview

The Cisco Prime Infrastructure version 2.2 contains two binaries with SUID root world-executable privileges, allowing any local user to execute arbitrary commands as root.

Description

CWE-276: Incorrect Default Permissions

Two binaries are included in Cisco Prime version 2.2 that run as SUID root with world-executable privileges. The commands are

/opt/CSCOlumos/bin/runShellCommand /opt/CSCOlumos/bin/runShellAsRoot

These commands may be used to run arbitrary commands as root by any local user.

According to Cisco, the default installation does not create any regular users, and Cisco does not support or recommend creating regular users or utilizing the command line shell for administration. Cisco has provided more information in a security advisory (customer user account required to view).

Impact

A remote authenticated user may escalate privileges to root and execute arbitrary commands.

Solution

Apply an update

Cisco has released an update to address this issue. For more information on the update, please see Cisco's security advisory (customer user account required to view). Affected users should update as soon as possible.

You may also consider the following workaround:

Restrict executable permissions

According to the reporter, affected users may remove the world-executable permissions on runShellCommand and runShellAsRoot to disallow any local account from utilizing these binaries.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Cisco	Affected	16 Mar 2015	08 May 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.0	AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal	8.5	E:H/RL:W/RC:C
Environmental	6.4	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jeremy Brown for reporting this issue.

This document was written by Garret Wassermann.

Other Information

CVE IDs: Unknown
Date Public: 31 Jul 2015
Date First Published: 17 Aug 2015
Date Last Updated: 17 Aug 2015
Document Revision: 56

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MS15-086 - Important: Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege (3075158) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft System Center Operations Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.

MS15-089 - Important: Vulnerability in WebDAV Could Allow Information Disclosure (3076949) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic.

MS15-090 - Important: Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3060716) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox.

MS15-091 - Critical: Cumulative Security Update for Microsoft Edge (3084525) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

85 - None: Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: None
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and in certain situations execute it.

MS15-084 - Important: Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0. However, in all cases an attacker would have no way to force users to click a specially crafted link; an attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.

MS15-085 - Important: Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and in certain situations execute it.

MS15-082 - Important: Vulnerabilities in RDP Could Allow Remote Code Execution (3080348) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

MS15-088 - Important: Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update helps to resolve an information disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.

MS15-079 - Critical: Cumulative Security Update for Internet Explorer (3082442) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-087 - Important: Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459) - Version: 1.0

Tue, 11 Aug 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed.

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

Sat, 01 Aug 2015 22:01:08 +0000

Original release date: August 01, 2015

Systems Affected

Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview

Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

Phishing Mitigation and Response Recommendations

Implement perimeter blocks for known threat indicators:
- Email server or email security gateway filters for email indicators
- Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
- DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
Identify recipients and possible infected systems:
- Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
- Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
- Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
- Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
- Scan systems for host-level indicators of the related malware (e.g., YARA signatures)

For systems that may be infected:
- Capture live memory of potentially infected systems for analysis
- Take forensic images of potentially infected systems for analysis
- Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
Report incidents, with as much detail as possible, to the NCCIC.

Educate Your Users

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments.
Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.

Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:

Privilege control (i.e., minimize administrative or superuser privileges)
Application whitelisting / software execution control (by file or location)
System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)

Further Information

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References

Revision History

August 1, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

MS15-074 - Important: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (3072630) - Version: 2.0

Wed, 29 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V2.0 (July 29, 2015): Bulletin published.
Summary: Bulletin rereleased to announce the availability of an update package for Windows 10 systems. Customers running Windows 10 should apply the 3074683 update to be protected from the vulnerability discussed in this bulletin. The update is available via Windows Update only. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.

MS15-078 - Critical: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Version: 2.0

Wed, 29 Jul 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.0 (July 29, 2015): Bulletin published.
Summary: Bulletin rereleased to announce the availability of an update package for Windows 10 systems. Customers running Windows 10 should apply the 3074683 update to be protected from the vulnerability discussed in this bulletin. The update is available via Windows Update only. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.

MS15-069 - Important: Vulnerabilities in Windows Could Allow Remote Code Execution (3072631) - Version: 1.1

Wed, 29 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (July 29, 2015): Bulletin revised to correct the Desktop Experience footnote in the Affected Software section. The footnote had incorrectly applied to update 3070738 on Windows Server 2008 R2 when it should have applied to update 3067903 on Windows Server 2008 and Windows Server 2008 R2. Also added a footnote for the 3070738 update to clarify that only systems with RDP 8.1 installed are affected. These are informational changes only. Customers who have already successfully applied the updates do not need to take any action. Customers who have not already installed the necessary updates should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow Remote Code Execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s current working directory and then convinces the user to open an RTF file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS15-065 - Critical: Security Update for Internet Explorer (3076321) - Version: 1.1

Wed, 22 Jul 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.1 (July 22, 2015): Corrected the affected software entries for CVE-2015-1733 in the Severity Ratings and Vulnerability Identifiers table. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-006 - Important: Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365) - Version: 2.0

Wed, 22 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V2.0 (July 22, 2015): Bulletin revised to inform customers of the July 14, 2015 reoffering of the 3004365 update for Windows 8.1 and Windows Server 2012 R2 systems. The update provides defense-in-depth measures beyond what was provided in the original update issued on January 13, 2015. Customers running these operating systems who have already successfully applied the update should reinstall the update to be best protected from the vulnerability discussed in this bulletin.
Summary: This security update resolves a privately reported vulnerability in Windows Error Reporting (WER). The vulnerability could allow security feature bypass if successfully exploited by an attacker. An attacker who successfully exploited this vulnerability could gain access to the memory of a running process. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS15-058 - Important: Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718) - Version: 1.1

Wed, 22 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (July 22, 2015): Bulletin revised to improve the Update FAQ section to help customers more easily identify the correct update to apply based on a currently installed version of SQL Server. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.

TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities

Tue, 14 Jul 2015 23:13:44 +0000

Original release date: July 14, 2015 | Last revised: July 15, 2015

Systems Affected

Microsoft Windows systems with Adobe Flash Player installed.

Overview

Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive techniques.

Description

The following vulnerabilities illustrate the need for ongoing mitigation techniques and prioritization of updates for highly targeted software:

Adobe Flash use-after-free and memory corruption vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) Adobe Flash Player contains critical vulnerabilities within the ActionScript 3 ByteArray, opaqueBackground and BitmapData classes. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a vulnerable system.
Microsoft Windows Adobe Type Manager privilege escalation vulnerability (CVE-2015-2387)
The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain system privileges on an affected Windows system. The Adobe Type Manager is a Microsoft Windows component present in every version since NT 4.0. The primary impact of exploiting this vulnerability is local privilege escalation.

Vulnerability Chaining

By convincing a user to visit a website or open a file containing specially crafted Flash content, an attacker could combine any one of the three Adobe Flash vulnerabilities with the Microsoft Windows vulnerability to take full control of an affected system.

A common attack vector for exploiting a Flash vulnerability is to entice a user to load Flash content in a web browser, and most web browsers have Flash installed and enabled. A second attack vector for Flash vulnerabilities is through a file (such as an email attachment) that embeds Flash content. Another technique leverages Object Linking and Embedding (OLE) capabilities in Microsoft Office documents to automatically download Flash content from a remote server.

An attacker who is able to execute arbitrary code through the Flash vulnerability could exploit the Adobe Type Manager vulnerability to gain elevated system privileges. The Adobe Type Manager vulnerability allows the attacker to bypass sandbox defenses (such as those found in Adobe Reader and Google Chrome) and low integrity protections (such as Protected Mode Internet Explorer and Protected View for Microsoft Office).

Impact

The Adobe Flash vulnerabilities can allow a remote attacker to execute arbitrary code. Exploitation of the Adobe Type Manager vulnerability could then allow the attacker to execute code with system privileges.

Solution

Since attackers regularly target widely deployed, Internet-accessible software such as Adobe Flash and Microsoft Windows, it is important to prioritize updates for these products to defend against known vulnerabilities.

Since attackers regularly discover new vulnerabilities for which updates do not exist, it is important to enable exploit mitigation and other defensive techniques.

Apply Security Updates

The Adobe Flash vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) are addressed in Adobe Security Bulletins APSB15-16 and APSB15-18. Users are encouraged to review the Bulletins and apply the necessary updates.

The Microsoft Windows Adobe Type Manager vulnerability (CVE-2015-2387) is addressed in Microsoft security Bulletin MS15-077. Users are encouraged to review the Bulletin and apply the necessary updates.

Additional information regarding the vulnerabilities can be found in Vulnerability Notes VU#561288, VU#338736, VU#918568, and VU#103336.

Limit Flash Content

Do not run untrusted Flash content. Most web browsers have Flash enabled by default, however, it may be possible to enable click-to-play features. For information see http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

Use the Microsoft Enhanced Mitigation Experience Toolkit (EMET)

EMET can be used to help prevent exploitation of the Flash vulnerabilities. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. See the following link for additional information: http://www.microsoft.com/en-us/download/details.aspx?id=46366

References

Revision History

July 14, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

MS15-072 - Important: Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions. An authenticated attacker who successfully exploited this vulnerability could elevate privileges on a targeted system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. An attacker must first log on to the system to exploit this vulnerability.

MS15-066 - Critical: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3072604) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS15-070 - Important: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-077 - Important: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS15-076 - Important: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability, which exists in Windows Remote Procedure Call (RPC) authentication, could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS15-068 - Critical: Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution (3072000) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Windows Hyper-V. The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An an attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.

MS15-071 - Important: Vulnerability in Netlogon Could Allow Elevation of Privilege (3068457) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic.

MS15-075 - Important: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if used in conjunction with another vulnerability that allows arbitrary code to be run. Once the other vulnerability has been exploited, an attacker could then exploit the vulnerabilities addressed in this bulletin to cause arbitrary code to run at a medium integrity level.

MS15-073 - Important: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3070102) - Version: 1.0

Tue, 14 Jul 2015 07:00:00 +0000

MS15-049 - Important: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985) - Version: 1.1

Tue, 23 Jun 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (June 23, 2015): Bulletin published.
Summary: Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.

MS15-044 - Critical: Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110) - Version: 2.1

Tue, 23 Jun 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V2.1 (June 23, 2015): V2.1 (June 23, 2015): Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

MS14-051 - Critical: Cumulative Security Update for Internet Explorer (2976627) - Version: 1.4

Wed, 17 Jun 2015 07:00:00 +0000

Severity Rating: Critical
Revision Note: V1.4 (June 17, 2015): Replaced CVE number CVE-2014-4078 with CVE number CVE-2014-8985. This is an informational change only. The CVE description was not changed. Customers who have already successfully installed the update do not need to take any action.
Summary: This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-048 - Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134) - Version: 1.1

Wed, 17 Jun 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.1 (June 17, 2015): Corrected bulletin replacement for the 3035488 update for .NET Framework 2.0 on all affected editions of Windows Server 2003 Service Pack 2.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow elevation of privilege if an attacker sends specially crafted data to a WinForms application running in partial trust.

MS15-060 - Important: Vulnerability in Microsoft Common Controls Could Allow Remote Code Execution (3059317) - Version: 1.0

Tue, 09 Jun 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (June 9, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link, or a link to specially crafted content, and then invokes F12 Developer Tools in Internet Explorer.

MS15-062 - Important: Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege (3062577) - Version: 1.0

Tue, 09 Jun 2015 07:00:00 +0000

Severity Rating: Important
Revision Note: V1.0 (June 9, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Active Directory Federation Services (AD FS). The vulnerability could allow elevation of privilege if an attacker submits a specially crafted URL to a target site that, due to the vulnerability, fails to properly sanitize script embedded in the URL. Once an attacker has successfully submitted specially crafted script to a target site, any webpage on that site that contains the specially crafted script is a potential vector for cross-site scripting attacks.

TA15-120A: Securing End-to-End Communications

Thu, 30 Apr 2015 04:00:00 +0000

Original release date: April 30, 2015

Systems Affected

Networked systems

Overview

Securing end-to-end communications plays an important role in protecting privacy and preventing some forms of man-in-the-middle (MITM) attacks. Recently, researchers described a MITM attack used to inject code, causing unsecured web browsers around the world to become unwitting participants in a distributed denial-of-service attack. That same code can be employed to deliver an exploit for a particular vulnerability or to take other arbitrary actions.

Description

A MITM attack occurs when a third party inserts itself between the communications of a client and a server. MITM attacks as a general class are not new. Classic MITM attacks (e.g., ARP Spoofing) focus on redirecting network communications. By definition, network infrastructure under attacker control is vulnerable to MITM. However, as technology evolves, new methods for performing MITM attacks evolve as well.

Currently, there is no single technology or configuration to prevent all MITM attacks. However, increasing the complexity with multiple layers of defense may raise the cost for the attacker. Increasing the attacker’s cost in time, effort, or money can be an effective deterrent to avoiding future network compromise.

Generally, encryption and digital certificates provide an effective safeguard against MITM attacks, assuring both the confidentiality and integrity of communications. As a result, modern MITM attacks have focused on taking advantage of weaknesses in the cryptographic infrastructure (e.g., certificate authorities (CAs), web browser certificate stores) or the encryption algorithms and protocols themselves.

Impact

MITM attacks are critical because of the wide range of potential impacts—these include the exposure of sensitive information, modification of trusted data, and injection of data.

Solution

Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.

US-CERT recommends reviewing the following mitigations to reduce vulnerability to MITM attacks:

Update Transport Layer Security and Secure Socket Layer (TLS/SSL)

US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled, unless required. TLS 1.0 clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding oracle attack when Cypher-Block Chaining mode is used. This method is commonly referred to as the "POODLE" (Padding Oracle on Downgraded Legacy Encryption) attack. Vulnerable TLS implementations can be updated by applying the patch provided by the vendor. Vendor information is available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [1] or in CERT Vulnerability Note VU#577193 [2]. See US-CERT TA14-290A [3] for additional information on this vulnerability.

Utilize Certificate Pinning

Certificate pinning [4] is a method of associating X.509 certificate and its public key to a specific CA or root. Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust “this certificate only” or “trust only certificates signed by this certificate.” Please use the following resources to configure your browser for certificate pinning:

Microsoft Certificate Trust

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5.2 employs a feature named "Certificate Trust" for SSL/TLS certificate pinning. This feature is intended to detect and stop MITM attacks that leverage Public Key Infrastructure. [5]

To use the Certificate Trust, you must provide a list of websites you want to protect and certificate pinning rules applicable to those websites. In order to do this, work with the Certificate Trust Configuration feature of the graphical application or use the Configuration Wizard to automatically configure EMET with the recommended settings. [6] Also, ensure period defaults are updated through patching.

Browser Certificate Pinning

Google Chrome and Mozilla Firefox, among others, perform certificate pinning. They conduct a variation of certificate pinning using the HTTP Strict Transport Security (HSTS), which pre-loads a specific set of public key hashes into the HSTS configuration, limiting valid certificates to only those with the specified indicated public key. Chrome uses HTTPS pins for most Google properties. It uses whitelisted public keys which include keys from Verisign, Google Internet Authority, Equifax, and GeoTrust. Thus, Chrome will not accept certificates for Google properties from other CAs.

Firefox 32 on desktop and later (Firefox 34 and later on Android) has the ability to use certificate pinning. It also has the ability to enforce built-in pinsets (mapping of public keys) information to domains. Firefox will pin all sites that Chrome already does, pin their own sites after audit and cleansing, and pin other popular sites that are already in good standing. Please visit this site on How to Use Pinning [7] and for more information.

Implement DNS-based Authentication of Named Entities (DANE)

DANE is a protocol that allows certificates (X.509) commonly used for TLS. DANE is bound to DNS which uses Domain Name System Security Extensions (DNSSEC). A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it. [8]

Google Chrome does not use DANE but uses an add-on [9] for support. Mozilla Firefox also uses an add-on [10] to check the existence and validity of DNSSEC.

Use Network Notary Servers

Network notary servers aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on CAs. CAs are often considered a security risk because they can be compromised. [11] As a result, browsers can deem fraudulent sites trustworthy and are left vulnerable to MITM attacks.

Each network notary server, or group of servers, is public and can be operated by public/private organizations or individuals. These servers regularly monitor websites and build a history of each site’s certificate data over time. When a browser equipped with a network notary add-on communicates with a website and obtains its certificate information, a user-designated network notary server supplies the browser with historical certificate data for that site. If certificate information provided by the website is inconsistent with the notary’s historical data, a MITM attack could be at play. [12]

References

Revision History

April 30, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

TA15-119A: Top 30 Targeted High Risk Vulnerabilities

Wed, 29 Apr 2015 04:00:00 +0000

Original release date: April 29, 2015 | Last revised: May 06, 2015

Systems Affected

Systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL.

Overview

Cyber threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. As many as 85 percent of targeted attacks are preventable [1].

This Alert provides information on the 30 most commonly exploited vulnerabilities used in these attacks, along with prevention and mitigation recommendations.

It is based on analysis completed by the Canadian Cyber Incident Response Centre (CCIRC) and was developed in collaboration with our partners from Canada, New Zealand, the United Kingdom, and the Australian Cyber Security Centre.

Description

Unpatched vulnerabilities allow malicious actors entry points into a network. A set of vulnerabilities are consistently targeted in observed attacks.

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

Temporary or permanent loss of sensitive or proprietary information,
Disruption to regular operations,
Financial losses relating to restoring systems and files, and
Potential harm to an organization’s reputation.

Solution

Maintain up-to-date software

The attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.

It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.

Patch commonly exploited vulnerabilities

Executives should ensure their organization’s information security professionals have patched the following software vulnerabilities. Please see patching information for version specifics.

**Microsoft**
CVE	Affected Products	Patching Information
CVE-2006-3227	Internet Explorer	Microsoft Malware Protection Encyclopedia Entry
CVE-2008-2244	Office Word	Microsoft Security Bulletin MS08-042
CVE-2009-3129	Office Office for Mac Open XML File Format Converter for Mac Office Excel Viewer Excel Office Compatibility Pack for Word, Excel, and PowerPoint	Microsoft Security Bulletin MS09-067
CVE-2009-3674	Internet Explorer	Microsoft Security Bulletin MS09-072
CVE-2010-0806	Internet Explorer	Microsoft Security Bulletin MS10-018
CVE-2010-3333	Office Office for Mac Open XML File Format Converter for Mac	Microsoft Security Bulletin MS10-087
CVE-2011-0101	Excel	Microsoft Security Bulletin MS11-021
CVE-2012-0158	Office SQL Server BizTalk Server Commerce Server Visual FoxPro Visual Basic	Microsoft Security Bulletin MS12-027
CVE-2012-1856	Office SQL Server Commerce Server Host Integration Server Visual FoxPro Visual Basic	Microsoft Security Bulletin MS12-060
CVE-2012-4792	Internet Explorer	Microsoft Security Bulletin MS13-008
CVE-2013-0074	Silverlight and Developer Runtime	Microsoft Security Bulletin MS13-022
CVE-2013-1347	Internet Explorer	Microsoft Security Bulletin MS13-038
CVE-2014-0322	Internet Explorer	Microsoft Security Bulletin MS14-012
CVE-2014-1761	Microsoft Word Office Word Viewer Office Compatibility Pack Office for Mac Word Automation Services on SharePoint Server Office Web Apps Office Web Apps Server	Microsoft Security Bulletin MS14-017
CVE-2014-1776	Internet Explorer	Microsoft Security Bulletin MS14-021
CVE-2014-4114	Windows	Microsoft Security Bulletin MS14-060

**Oracle**
CVE	Affected Products	Patching Information
CVE-2012-1723	Java Development Kit, SDK, and JRE	Oracle Java SE Critical Patch Update Advisory - June 2012
CVE-2013-2465	Java Development Kit and JRE	Oracle Java SE Critical Patch Update Advisory - June 2013

**Adobe**
CVE	Affected Products	Patching Information
CVE-2009-3953	Reader Acrobat	Adobe Security Bulletin APSB10-02
CVE-2010-0188	Reader Acrobat	Adobe Security Bulletin APSB10-07
CVE-2010-2883	Reader Acrobat	Adobe Security Bulletin APSB10-21
CVE-2011-0611	Flash Player AIR Reader Acrobat	Adobe Security Bulletin APSB11-07 Adobe Security Bulletin APSB11-08
CVE-2011-2462	Reader Acrobat	Adobe Security Bulletin APSB11-30
CVE-2013-0625	ColdFusion	Adobe Security Bulletin APSB13-03
CVE-2013-0632	ColdFusion	Adobe Security Bulletin APSB13-03
CVE-2013-2729	Reader Acrobat	Adobe Security Bulletin APSB13-15
CVE-2013-3336	ColdFusion	Adobe Security Bulletin APSB13-13
CVE-2013-5326	ColdFusion	Adobe Security Bulletin APSB13-27
CVE-2014-0564	Flash Player AIR AIR SDK & Compiler	Adobe Security Bulletin APSB14-22

**OpenSSL**
CVE	Affected Products	Patching Information
CVE-2014-0160	OpenSSL	CERT Vulnerability Note VU#720951

Implement the following four mitigation strategies.

As part of a comprehensive security strategy, network administrators should implement the following four mitigation strategies, which can help prevent targeted cyber attacks.

Ranking	Mitigation Strategy	Rationale
1	Use application whitelisting to help prevent malicious software and unapproved programs from running.	Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
2	Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.	Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
3	Patch operating system vulnerabilities.
4	Restrict administrative privileges to operating systems and applications based on user duties.	Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

It is recommended that users review US-CERT Security Tip (ST13-003) and CCIRC’s Mitigation Guidelines for Advanced Persistent Threats for additional background information and to assist in the detection of, response to, and recovery from malicious activity linked to advance persistent threats [2, 3].

References

Revision History

April 29, 2015: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

TA15-105A: Simda Botnet

Wed, 15 Apr 2015 12:51:51 +0000

Original release date: April 15, 2015

Systems Affected

Microsoft Windows

Overview

The Simda botnet – a network of computers infected with self-propagating malware – has compromised more than 770,000 computers worldwide [1].

The United States Department of Homeland Security (DHS), in collaboration with Interpol and the Federal Bureau of Investigation (FBI), has released this Technical Alert to provide further information about the Simda botnet, along with prevention and mitigation recommendations.

Description

Since 2009, cyber criminals have been targeting computers with unpatched software and compromising them with Simda malware [2]. This malware may re-route a user’s Internet traffic to websites under criminal control or can be used to install additional malware.

The malicious actors control the network of compromised systems (botnet) through backdoors, giving them remote access to carry out additional attacks or to “sell” control of the botnet to other criminals [1]. The backdoors also morph their presence every few hours, allowing low anti-virus detection rates and the means for stealthy operation [3].

Impact

A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information; install additional malware; or cause other malicious attacks. The breadth of infected systems allows Simda operators flexibility to load custom features tailored to individual targets.

Solution

Users are recommended to take the following actions to remediate Simda infections:

Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
Keep your operating system and application software up-to-date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of Simda from your system.

Kaspersky Lab : http://www.kaspersky.com/security-scan

Microsoft: http://www.microsoft.com/security/scanner/en-us/default.aspx

Trend Micro: http://housecall.trendmicro.com/

Check to see if your system is infected – The link below offers a simplified check for beginners and a manual check for experts.

Cyber Defense Institute: http://www.cyberdefense.jp/simda/

The above are examples only and do not constitute an exhaustive list. The U.S. government does not endorse or support any particular product or vendor.

References

Revision History

April 15, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information

Mon, 13 Apr 2015 19:36:12 +0000

Original release date: April 13, 2015 | Last revised: April 15, 2015

Systems Affected

Misconfigured Domain Name System (DNS) servers that respond to global Asynchronous Transfer Full Range (AXFR) requests.

Overview

A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly configured, the DNS server may respond with information about the requested zone, revealing internal network structure and potentially sensitive information.

Description

AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS queries that require the user to know some DNS information ahead of time, AXFR queries reveal resource records including subdomain names [1]. Because a zone transfer is a single query, it could be used by an adversary to efficiently obtain DNS data.

A well-known problem with DNS is that zone transfer requests can disclose domain information; for example, see CVE-1999-0532 and a 2002 CERT/CC white paper [2][3]. However, the issue has regained attention due to recent Internet scans still showing a large number of misconfigured DNS servers. Open-source, tested scripts are now available to scan for the possible exposure, increasing the likelihood of exploitation [4].

Impact

A remote unauthenticated user may observe internal network structure, learning information useful for other directed attacks.

Solution

Configure your DNS server to respond only to zone transfer (AXFR) requests from known IP addresses. Many open-source resources give instructions on reconfiguring your DNS server. For example, see this AXFR article for information on testing and fixing the configuration of a BIND DNS server. US-CERT does not endorse or support any particular product or vendor.

References

Revision History

April 13, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

TA15-098A: AAEH

Thu, 09 Apr 2015 04:00:00 +0000

Original release date: April 09, 2015

Systems Affected

Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.

The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), released this Technical Alert to provide further information about the AAEH botnet, along with prevention and mitigation recommendations.

Description

AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network. AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.

Impact

A system infected with AAEH may be employed to distribute malicious software, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines.

Solution

Users are recommended to take the following actions to remediate AAEH infections:

Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of AAEH from your system.
Note: AAEH blocks AV domain names thereby preventing infected users from being able to download remediation tools directly from an AV company. The links below will take you to the tools at the respective AV sites. In the event that the tools cannot be accessed or downloaded from the vendor site, the tools are accessible from Shadowserver (http://aaeh.shadowserver.org).
F-Secure
http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)
McAfee
www.mcafee.com/stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)
Microsoft
http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
Sophos
http://www.sophos.com/VirusRemoval (Windows XP SP2 and above)
Trend Micro
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)
The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

International Police Operation Targets Polymorphic Beebone Botnet

Revision History

April 9, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Fri, 20 Feb 2015 12:07:58 +0000

Original release date: February 20, 2015 | Last revised: February 24, 2015

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed.

Overview

Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3. 1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.

Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly affected. Please refer to CERT Vulnerability Note VU#529496 for more details and updates.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.

Solution

Uninstall Superfish VisualDiscovery and associated root CA certificate

Users should uninstall Superfish VisualDiscovery. Lenovo has provided a tool to uninstall Superfish and remove all associated certificates.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store. In the case of Superfish VisualDiscovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.

References

Revision History

February 20, 2015: Initial release
February 20, 2015: Clarified software release dates
February 24, 2015: Updated description and solution details

This product is provided subject to this Notification and this Privacy & Use policy.

TA14-353A: Targeted Destructive Malware

Fri, 19 Dec 2014 15:39:36 +0000

Original release date: December 19, 2014 | Last revised: December 25, 2014

Systems Affected

Microsoft Windows

Overview

US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.

SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200 www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.

Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

Technical and strategic mitigation recommendations are included in the Solution section below.

US-CERT recommends reviewing the Security Tip Handling Destructive Malware #ST13-003.

Description

Cyber threat actors are using an SMB worm to conduct cyber exploitation activities. This tool contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.

The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a C2 infrastructure.

Impact

Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks:

Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
Review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
Review Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies (pdf).

The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

Import Hashes:

SMB worm tool:

Import hash: f6f48551d7723d87daeef2e840ae008f