@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 20, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 51
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 12/13/2012 - 12/19/2012
============================================================TOP VULNERABILITY THIS WEEK: An arbitrary memory write vulnerability in certain Samsung chipset drivers has been demonstrated in the wild, with easy-to-use source code available for exploit generation. Attacks are presumed to be commencing; Cyanogenmod has released a patch, but mainstream Samsung device users have not yet received one, despite claims that Samsung has a patch tested and available.
============================================================TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems
engineers, IT security professionals and critical infrastructure
protection specialists from asset owning and operating organizations
along with control systems and security vendors who have innovative
solutions for improving security. The Security Summit is an action
conference designed so that every attendee leaves with new tools and
techniques they can put to work immediately when they return to their
office. The Summit is the place to come and interact with top SCADA
experts, key government personnel, researchers and asset owners at the
multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --Looking for training in your own community?
http://www.sans.org/community/
--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus Anaheim, New Delhi, Scottsdale, Brussels, and Johannesburg all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
============================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Samsung device driver arbitrary memory overwrite vulnerability
Description: A user by the name of alephzain posted details of a major
memory access vulnerability in devices using certain Samsung chipsets
and kernels, which allows Android applications being installed on a
device the ability to overwrite arbitrary system memory as root via the
/dev/exynos "System on a Chip" devices. The device is available in many
popular Samsung hardware platforms, including the Galaxy SII and SIII.
MEIZU MX, etc. Full details, including system libraries, sample exploit
code, etc. were published along with the writeup, and exploits are
presumed to be starting to circulate in the wild at this point. Multiple
users on XDA-Developers have posted patches, and Cyanogenmod has already
committed a fix for its users. Meanwhile, other users of the popular
Android development forum have charged that Samsung has had a patch for
this known "open source" issue for weeks and have not released a fix for
it, despite other updates having been pushed to their customers in the
interim, highlighting the serious issue of vendors' and carriers'
reluctance to patch rapidly for mobile devices.
Reference:
http://forum.xda-developers.com/showthread.php?t=2048511
http://en.wikipedia.org/wiki/Exynos_(system_on_chip)
http://www.androidauthority.com/xda-developer-patches-samsung-exynos-chip-vulnerability-140742/
Snort SID:
ClamAV:
Title: FBI report says SCADA "Niagara" backdoor exploited in the US this year
Description: Using nothing more than the popular web device search
service Shodan, attackers in the wild have been exploiting an
authentication bypass vulnerability in the Niagara AX Framework, made
by Richmond, VA-based firm Tridium. The web interface for the framework,
by default, does not require a password, and provides full
administrative access to systems controlling HVAC in offices around the
world. The system was typically set up with floor plans, personnel and
departmental names, etc., providing a wealth of useful data for spear
phishers, social engineers, and the like. As of Wednesday, Dec. 19, no
notice was posted on the vendor's site discussing a patch or any
mitigations for this vulnerability. Potentially impacted users are urged
to shut down unnecessary web services, and restrict access to any others
to only authorized, known IP addresses.
Reference:
http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf
http://www.shodanhq.com/search?q=niagara_audit+-login
http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/
http://www.tridium.com/cs/products_/_services/niagaraax
Snort SID: 25057
ClamAV: N/A
Title: Anonymous Doxes the WBC
Description: Members of the Anonymous collective posted personal and
professional contact details for members of the Westboro Baptist Church
online on Pastebin Sunday morning, apparently in response to the WBC's
announcement that it would be protesting the funerals of those taken in
the recent tragedy in Newton, CT last week. Details of how the private
information was found were not detailed by Anonymous, and little
speculation has been put forward within the information security
community. The move coincided with other political moves surrounding the
group, such as a White House online petition that has gathered close to
200,000 signatures asking that the WBC be legally recognized as a hate
group.
Reference:
http://pastebin.com/2PmbBm8f
https://petitions.whitehouse.gov/petition/legally-recognize-westboro-baptist-church-hate-group/DYf3pH2d
Snort SID: N/A
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Setting HoneyTraps with ModSecurity: Unused Web Ports:
http://blog.spiderlabs.com/2012/12/setting-honeytraps-with-modsecurity-unused-web-ports.html
Why Google Maps is better than Apple Maps:
http://www.theatlantic.com/technology/archive/2012/12/why-google-maps-is-better-than-apple-maps/266218/
Has WWII carrier pigeon message been cracked?
http://www.bbc.co.uk/news/uk-20749632
Mercury Android malware system releases new version:
http://labs.mwrinfosecurity.com/blog/2012/12/14/whats-new-in-mercury-v2/
Scientific study of malware obfuscation techniques:
http://www.xors.me/?p=6126
Inside Impact Exploit Kit:
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html
The Dexter malware: getting your hands dirty:
http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
Lessons learned from US financial services DDoS attacks:
http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/
- From SQL injection to shell: PostgreSQL edition:
https://pentesterlab.com/from_sqli_to_shell_pg_edition.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell
File Reporter 1.0.2 allows remote attackers to upload and execute files
via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an
FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX "PrintControl.dll" Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the
CrystalReports12.CrystalPrintControl.1 ActiveX control in
PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2
allows remote attackers to execute arbitrary code via a long
ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and
possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x
before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows
remote authenticated users to execute arbitrary code via a long argument
to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
MOST POPULAR MALWARE FILES 12/13/2012 - 12/19/2012:
COMPILED BY SOURCEFIRE
(Virustotal links that are not found mean that the file that Sourcefire is detecting has not yet been analyzed by Virustotal)
SHA 256: 806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8
MD5:
VirusTotal: https://www.virustotal.com/file/806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046
MD5:
VirusTotal: https://www.virustotal.com/file/1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3
MD5:
VirusTotal: https://www.virustotal.com/file/7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33
MD5:
VirusTotal: https://www.virustotal.com/file/CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F
MD5:
VirusTotal: https://www.virustotal.com/file/883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
