CVE No: CVE-2018-0016.

MODIFICATION HISTORY: 11/04/2018 – Initial Publication

CVSS SCORE: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL: Critical

RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

PRODUCT AFFECTED: This issue affects Junos OS 15.1, 15.1X49, 15.1X53.

PROBLEM:

Receipt of a specially crafted Connectionless Network Protocol (CLNP) packet destined to an interface IP address of a Junos OS device may result in a kernel crash or lead to remote code execution.

Devices are only vulnerable to the specially crafted CLNP packet if ‘clns-routing’ or ESIS is explicitly configured. Devices without CLNS enabled are not vulnerable to this issue.

This issue only affects devices running Junos OS 15.1. Affected releases are Juniper Networks Junos OS:

• 1 versions prior to 15.1F5-S3, 15.1F6-S8, 15.1F7, 15.1R5;
• 1X49 versions prior to 15.1X49-D60;
• 1X53 versions prior to 15.1X53-D66, 15.1X53-D233, 15.1X53-D471.

Earlier releases are unaffected by this vulnerability, and the issue has been resolved in Junos OS 16.1R1 and all subsequent releases.

The following configuration is required:

• set protocols isis clns-routing

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

SOLUTION:

The following software releases have been updated to resolve this specific issue: 15.1F5-S3, 15.1F6-S8, 15.1F7, 15.1R5, 15.1X49-D60, 15.1X53-D66, 15.1X53-D233, 15.1X53-D471, 16.1R1, and all subsequent releases.

Note: Juniper SIRT’s policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

WORKAROUND:

Use access lists or firewall filters to limit access to the device via CLNP only from trusted hosts.

IMPLEMENTATION:

Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.

RELATED LINKS:

• KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process
• KB16765: In which releases are vulnerabilities fixed?
• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories
• Report a Vulnerability – How to Contact the Juniper Networks Security Incident Response Team

The information contained in this website is for general information purposes only. The information is gathered from KB Juniper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Adobe and Microsoft each released critical fixes for their products today, a.k.a “Patch Tuesday,” the second Tuesday of every month..

The Microsoft updates impact many core Windows components, including the built-in browsers Internet Explorer and Edge, as well as Office, the Microsoft Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure.

That flaw, discovered and reported by Google’s Project Zero program, is reportedly quite easy to exploit and impacts the malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.

Microsoft really wants users to install these updates as qucikly as possible, but it might not be the worst idea to wait a few days before doing so: Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release. However, depending on which version of Windows you’re using it may be difficult to put off installing these patches.

Windows 10 receives updates automatically, “and for customers running previous versions, is recommended to turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. In any case, don’t put off installing these updates too long.

Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this buggy program.

Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Google Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.

For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.

The latest standalone version of Flash that addresses these bugs is 29.0.0.140  for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

The information contained in this website is for general information purposes only. The information is gathered from Security Boulevard while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Intel recently finished its barrage of CPU microcode updates designed to combat the nasty Spectre variant 2 exploit, and today, AMD revealed its plans to protect PCs against the flaw. (AMD processors aren’t vulnerable to Meltdown.)

AMD’s announcement, penned by chief technical officer Mark Papermaster, released alongside Microsoft’s monthly “Patch Tuesday” update and showcases how complex plugging Meltdown and Spectre’s security holes can be. Today’s Windows 10 updates include code containing Spectre variant 2 mitigations at an operating system level, similarly to how a Windows update in early January protected against Specter variant 1.

But unlike that earlier patch, today’s Windows update is only part of the solution. AMD says it’s also released CPU firmware updates with “our recommended mitigations addressing Variant 2” to the company’s hardware partners, with patches available for processors going back to CPUs built on the “Bulldozer” architecture in 2011. (Intel’s firmware updates stop around the same time frame.) The post doesn’t specify which processors received patches, but presumably AMD’s newer Ryzen processors were at the front of the line. Fingers crossed.

Also cross your fingers that your system will even see the motherboard updates needed to apply AMD’s new CPU firmware. You don’t download Spectre mitigations directly from Intel or AMD; instead, you need to wait for the maker of your motherboard or prebuilt desktop to release a new BIOS with the fixes wrapped in. A quick check of a handful of prominent Ryzen X370 motherboards didn’t show any April BIOS updates, though Tech Report says it was able to fully patch one of its systems. Patience is key, it seems.

I’d expect to see many Ryzen-era motherboards patched to include CPU microcode that protects against Spectre, but don’t hold your breath for older systems. On the Intel side, no motherboard vendors have pledged to release BIOS updates for anything older than 6th-gen “Skylake”-era systems, which launched in 2015. AMD’s firmware updates do no good if you can’t get them on your older PC.

On the plus side, AMD still maintains that the Spectre variant 2 mitigations are “difficult to exploit” on its processors, and originally classified these microcode updates as optional. Nevertheless, you’ll want to safeguard your computer as much as possible. If a Spectre-slamming BIOS update isn’t available for your motherboard or Pre-Built desktop system, also consider investing in a strong antivirus solution because security researchers have discovered malware designed to exploit these vulnerabilities.

The information contained in this website is for general information purposes only. The information is gathered from PCWorld IDG while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

CVE Reference: CVE-2018-1032

Date: Apr 11 2018

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes

Vendor Confirmed: Yes

Version(s): 2010 SP2, 2013 SP1, 2016

Description:

A vulnerability was reported in Microsoft SharePoint. A remote authenticated user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote authenticated user can cause arbitrary scripting code to be executed by the target user’s browser. The code will originate from the site running the Microsoft SharePoint Server software and will run in the security context of that site. As a result, the code will be able to access the target user’s cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:

A remote authenticated user can access the target user’s cookies (including authentication cookies), if any, associated with the site running the Microsoft SharePoint Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:

The vendor has issued a fix.

Microsoft Advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1032

https://www.microsoft.com/downloads/details.aspx?familyid=9cf1a58c-6ac6-4d23-8492-1b15bd76d099

https://www.microsoft.com/downloads/details.aspx?familyid=c0dfd1dc-a9c2-4d25-876f-2209adc7f0ec

https://www.microsoft.com/downloads/details.aspx?familyid=a1e7b543-d5fa-4b0b-a49a-9fc96b69ad92

Cause:

Input validation error

Underlying OS:

Windows (2008), Windows (2012), Windows (2016)

The information contained in this website is for general information purposes only. The information is gathered from Security Tracker while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The perception about Apple devices is that they are protected from attacks by default which is not true. Information security training researchers at Trend Micro have discovered a new malware which they believe is associated with OceanLotus also known as SeaLotus, Cobalt Kitty, APT 32, and APT-C-00. OceanLotus group is well known for targeting maritime construction firms, research institutes, media and human rights organizations.

Detected as OSX_OCEANLOTUS.D, the malware aims at Mac devices that have Perl programming language installed on the system and is being delivered through phishing emails attached with a Microsoft Word document.

Once information security training experts analyzed the document, noted that its content invites users to register themselves for an event organized by HDMC, a Vietnamese organization that advertises national independence and democracy.

The document contains malicious macros. The email recommends victims to enable macros to read the email and once that’s done the obfuscated macros extract an .XML file from the Word document which is actually an executable file and works as the dropper of the backdoor, which is the final payload.

Also, all strings within the dropper including the backdoor are encrypted using a hardcoded RSA256 key. The dropper checks whether it is running as a root or not and based on that it selects where it needs to be installed.

“When the dropper installs the backdoor, it sets its attributes to “hidden” and sets file date and time to random values,” information security training researchers noted. “The dropper will delete itself at the end of the process.”

The backdoor depends on two functions including runHandle and infoClient. The runHandle function is responsible for the backdoor capabilities whereas infoClient collects platform information and sends it to the command and control (C&C) server.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” concluded.

Now it is unclear how many victims this new malware has found or if it has spread outside Vietnam; information security training professionals said that macOS users should remain vigilant and refrain from clicking links or downloading files from unknown emails. Moreover, use anti-malware software, scan your device daily and keep its operating system updated.

The information contained in this website is for general information purposes only. The information is gathered from Security Newspaper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.