Ειδοποιήσεις

 

CVE Reference: CVE-2018-1032

Date: Apr 11 2018

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes

Vendor Confirmed: Yes

Version(s): 2010 SP2, 2013 SP1, 2016

 

Description:

A vulnerability was reported in Microsoft SharePoint. A remote authenticated user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote authenticated user can cause arbitrary scripting code to be executed by the target user’s browser. The code will originate from the site running the Microsoft SharePoint Server software and will run in the security context of that site. As a result, the code will be able to access the target user’s cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:

A remote authenticated user can access the target user’s cookies (including authentication cookies), if any, associated with the site running the Microsoft SharePoint Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:

The vendor has issued a fix.

Microsoft Advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1032

https://www.microsoft.com/downloads/details.aspx?familyid=9cf1a58c-6ac6-4d23-8492-1b15bd76d099

https://www.microsoft.com/downloads/details.aspx?familyid=c0dfd1dc-a9c2-4d25-876f-2209adc7f0ec

https://www.microsoft.com/downloads/details.aspx?familyid=a1e7b543-d5fa-4b0b-a49a-9fc96b69ad92

Cause:

Input validation error

Underlying OS:

Windows (2008), Windows (2012), Windows (2016)

 

The information contained in this website is for general information purposes only. The information is gathered from Security Tracker while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The perception about Apple devices is that they are protected from attacks by default which is not true. Information security training researchers at Trend Micro have discovered a new malware which they believe is associated with OceanLotus also known as SeaLotus, Cobalt Kitty, APT 32, and APT-C-00. OceanLotus group is well known for targeting maritime construction firms, research institutes, media and human rights organizations.

Detected as OSX_OCEANLOTUS.D, the malware aims at Mac devices that have Perl programming language installed on the system and is being delivered through phishing emails attached with a Microsoft Word document.

Once information security training experts analyzed the document, noted that its content invites users to register themselves for an event organized by HDMC, a Vietnamese organization that advertises national independence and democracy.

The document contains malicious macros. The email recommends victims to enable macros to read the email and once that’s done the obfuscated macros extract an .XML file from the Word document which is actually an executable file and works as the dropper of the backdoor, which is the final payload.

Also, all strings within the dropper including the backdoor are encrypted using a hardcoded RSA256 key. The dropper checks whether it is running as a root or not and based on that it selects where it needs to be installed.

“When the dropper installs the backdoor, it sets its attributes to “hidden” and sets file date and time to random values,” information security training researchers noted. “The dropper will delete itself at the end of the process.”

The backdoor depends on two functions including runHandle and infoClient. The runHandle function is responsible for the backdoor capabilities whereas infoClient collects platform information and sends it to the command and control (C&C) server.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” concluded.

Now it is unclear how many victims this new malware has found or if it has spread outside Vietnam; information security training professionals said that macOS users should remain vigilant and refrain from clicking links or downloading files from unknown emails. Moreover, use anti-malware software, scan your device daily and keep its operating system updated.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Newspaper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

You have always been warned not to share remote access to your computer with untrusted people for any reason—it’s a basic cybersecurity advice, and common sense, right?

But what if, I tell you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft’s Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.

Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.

 

The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need. However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim’s system.

 

The vulnerability, which has been fixed by the company in this month’s Patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE). The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Samba maintainers have just released new versions of their networking software to patch two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and change any other users’ passwords, including admin’s.

Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.

Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.The denial of service vulnerability, assigned CVE-2018-1050, affects all versions of Samba from 4.0.0 onwards and could be exploited “when the RPC spoolss service is configured to be run as an external daemon.”

“Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection.” Samba advisory says.

The second vulnerability, assigned CVE-2018-1057, allows unprivileged authenticated users to change any other users’ passwords, including admin users, over LDAP.

Password reset flaw exists on all versions of Samba from 4.0.0 onwards, but works only in Samba Active Directory DC implementation, as it doesn’t properly validate permissions of users when they request to modify passwords over LDAP.

A large number of servers might potentially be at risk, because Samba ships with a wide range of Linux distributions.The maintainers of Samba have addressed both vulnerabilities with the release of new Samba versions 4.7.6, 4.6.14, 4.5.16 and have advised administrators to update vulnerable servers immediately.

If you are running an older version of Samba, check for available patches here.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.