Ειδοποιήσεις

Splunk Enterprise solution allows organizations to aggregate, search, analyze, and visualize data from various sources that are critical to business operations.

The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” reads the advisory published by Splunk.

The most severe issue fixed by the company is a high severity cross-site scripting (XSS) flaw in the Web interface, tracked as CVE-2018-7427, that received the CVSS score of 8.1.

Another severe vulnerability is a DoS flaw tracked as CVE-2018-7432 that could be exploited using malicious HTTP requests sent to Splunkd that is the system process that handles indexing, searching and forwarding. This issue was tracked as “medium severity” by the company.

The company also addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-7429, that could be exploited by an attacker by sending a specially crafted HTTP request to Splunkd.

The last flaw addressed by the vendor, tracked as CVE-2018-7431, is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app. The vulnerability has been rated “medium severity.”

Affected versions:

  • Cross Site Scripting in Splunk Web (CVE-2018-7427)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Denial of Service (CVE-2018-7432)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Path Traversal Vulnerability in Splunk Django App (CVE-2018-7431)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Splunkd Denial of Service via Malformed HTTP Request (CVE-2018-7429)
  • Affected Product Versions: Splunk Enterprise versions 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14 and Splunk Light before 6.5.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.

The vendor declared it has found no evidence that these vulnerabilities have been exploited in attacks in the wild.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password.

The security vulnerability, tracked as CVE-2018-10933, is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years.

But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

The vulnerability resides due to a coding error in Libssh and is “ridiculously simple” to exploit.

According to a security advisory published Tuesday, all an attacker needs to do is sending an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

Due to a logical flaw in libssh, the library fails to validate if the incoming “successful login” packet was sent by the server or the client, and also fails to check if the authentication process has been completed or not.

Therefore, if a remote attacker (client) sends this “SSH2_MSG_USERAUTH_SUCCESS” response to libssh, it considers that the authentication has been successful and will grant the attacker access to the server, without needing to enter a password.

Although GitHub uses libssh, it confirms that its official website and GitHub Enterprise are not affected by the vulnerability due to how GitHub uses the library.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with the libssh server is not relied upon for pubkey-based auth, which is what we use the library for,” a GitHub security official said on Twitter.

“Patches have been applied out of an abundance of caution, but GHE [GitHub Enterprise] was never vulnerable to CVE-2018-10933.”

Shodan search shows that around 6,500 internet-facing servers may be impacted due to the use of Libssh one or the other way.

The security bug was discovered by Peter Winter-Smith from NCC Group, who responsibly disclosed the issue to Libssh.

The Libssh team addressed the issue with the release of its updated libssh versions 0.8.4 and 0.7.6 on Tuesday, and the details of the vulnerability were also released at the same time.

If you have Libssh installed on your website, and mainly if you are using the server component, you are highly recommended to install the updated versions of Libssh as soon as possible.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Oracle has just released a security update to prevent 2.3 million servers running the RPCBIND service from being used in amplified DDoS attacks.

The flaw was discovered by the Brazilian researcher Mauricio Corrêa, founder of Brazilian security company XLabs. The exploitation of this vulnerability could cause major problems on the Internet.

“A proof of concept (POC) made in only one XLabs server generated a traffic of 69 gigabits per second,” Mauricio said.

At the time of the discovery, the expert queried Shodan and found that there were nearly 2.6 million servers running RPCBIND on the Internet. The multiplication of this exploit in a 2.6 million server farm leads to a frightening conclusion.

RPCBIND is software that provides client programs with the information they need about server programs available on a network. It runs on port 111 and responds with universal addresses of the server programs so that client programs can request data through RPCs (remote procedure calls).

These addresses are formed by the server IP pool plus port. Since its launch, RPCBIND has been receiving updates that cover several failures, including security. This, however, is the most serious finding so far.

The discovery of the crash began on June 11 this year. On that day, one of the web application firewalls (WAFs) installed in the XLabs SOC (security operations center) detected an abnormal pattern of network traffic that caught the eye of Mauricio.

The data showed that a DDoS attack was in progress, coming from port 111 of several servers, all from other countries.

“We then decided to open a server with port 111 exposed on the Internet, with the same characteristics as those who were attacking us and we were monitoring that server for weeks. We found that he was receiving requests to generate attacks, ” he explained. 

After further analysis of the subject, it was possible to reproduce the attack in the laboratory.

“By analyzing the servers exposed at Shodan, the extent of the problem was confirmed,” continues Mauricio.

The problem discovered by Mauricio is worse than Memcrashed, detected in February of this year. In this type of distributed denial of service (DDoS) attack, the malicious traffic generated with the technique is greater than the once associated with the use of memcached, a service that does not require authentication but has been exposed on the internet by inexperienced system administrators. The service runs on UDP port 11211 and its exploitation by cybercriminals has already generated 260GB traffic according to Cloudflare company measurements.

After developing the POC, Maurício reported the problem to Oracle’s security team, since RPCBIND is a solution originating from Sun, which was acquired by the company in 2010. He sent the information to Oracle so that the experts of the company could confirm and evaluate the problem.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Juniper Networks has issued fixes for over thirty vulnerabilities affecting its routing, switching and security products running Junos OS.

Critical issues fixed

CVE-2018-0044 is an insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices, which may allow remote unauthenticated access if any of the passwords on the system are empty.

If users can’t update to version 18.1R4 (and later), which set the PermitEmptyPasswords option to no by default, they can either make sure that all the accounts are configured with a password or change the aforementioned option to no.

Juniper has also fixed six CVE-numbered vulnerabilities in ntpd (NTP daemon), most of which can cause a DoS condition.

CVE-2018-7183 is the most critical of the batch – a buffer overflow that could allow remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. To plug these holes, users can update the OS or implement an array of security best practices that can protect against any remote malicious attacks against NTP (they should do the latter anyway).

High risk vulnerabilities

Of the high risk issues fixed, some deserve to be singled out.

CVE-2018-0049 can lead to a Junos OS kernel to crash and, therefore, Denial of Service, if the device receives a specifically crafted malicious MPLS packet on an interface configured to receive this type of traffic. Continued receipt of such a packet will cause a sustained Denial of Service condition.

“Juniper SIRT is aware of possible malicious network probing which may have triggered this issue, but not aware of any malicious exploitation of this vulnerability,” the company noted.

CVE-2018-0047 is a XSS vulnerability in the UI framework used by Junos Space Security Director that may allow authenticated users to inject persistent and malicious scripts.

CVE-2018-0052 allows unauthenticated remote root access to a vulnerable device only if the RSH service is enabled and the PAM authentication disabled.

“RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514,” the company explained. The fixed version of the software removes the undocumented CLI option.

The information contained in this website is for general information purposes only. The information is gathered from HelpNet Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Sextortion scams are when an attacker sends emails to people stating that their computer is hacked and that the attackers have been recording the screen and webcam as the user visits adult sites. The scammers then blackmail the recipients by stating they will release the videos if they do not receive a payment in bitcoins.

In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.

These scams have become very profitable, with scammers making over €50K in one week, and this new variant is no different. This new variant was first seen targeting victims in the Netherlands where the scammers made €40,000.

After learning about this new campaign, a security researcher has been monitoring these scams and found that the subject of these emails is “[email address] + 48 hours to pay”.

For example, if my email address was example@example.com, the subject of the sextortion email would read “example@example.com 48 hours to pay” and sender of the email would be my own email account. You can see an image example of the English sextortion scam below.

 

Many victims have been falling for this scam and sending payments to the attacker.

It is important for users to learn about these new scams as they have been very successful in scaring recipients into making payments. Therefore, if you receive an email like this, do not freak out and simply delete the email and then perform a thorough scan of your computer using an antivirus program.

Mail providers can protect their domains using SPF and DMARC records

Sending spoofed emails so that they appear to be from someone else is nothing new. Phishers, scammers, and jokesters have been doing this for many years. With that said, mail providers can do a better making it harder for attackers to spoof email addresses using the domains they manage.

By using DNS records like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC), domain owners can lock down their domains to make it harder for external users to spoof domains under their control.

These frameworks are free to generate and when used properly can make a huge dent in preventing email abuse and spam. DMARC can also be configured so that you receive reports of spam campaigns utilizing your domain so that you can monitor what malicious activity is being performed.

1. To prevent sending spoofed email:

  1. Create an SPF-All(hard fail) record with only the mail servers that are allowed to send mail on behalf of your domain.
  2. Configure DKIM on your mail servers and publish the key in a DKIM Selector record in DNS.
  3. Create a DMARC record with value p=reject.
  4. Create SPF records for each subdomain.
  5. Create SPF records for mailserver HELO names.
  6. Create SPF hard fail(-all) and DMARC p=reject records for al non-mail and unused domains.

2. To prevent receiving spoofed email:

  1. Check SPF results on incoming mailservers (hard fail = reject, soft fail = spam).
  2. Whitelists SMTP servers that are allowed to mail on behalf of their domain, block the rest.
  3. Check DKIM results on incoming mailservers (failure = reject).
  4. Check DMARC results on incoming mailservers (use P= policy published in DNS).
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.