Exim is a message transfer agent(MTA)that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape()function,which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '\' character,the vulnerable string_interpret_escape()function will interpret the string-terminating null byte as a value to be escaped,thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way,this out-of-bounds pointer can be leveraged to cause a heap overflow. Exim installations configured to allow TLS connections,which can happen either via the SMTP STARTTLS command or via TLS-on-connect,can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.
Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two Bluetooth devices must pair with each other and establish a link key that is used to generate the encryption key. For example,assume that there are two controllers attempting to establish a connection:Alice and Bob. After authenticating the link key,Alice proposes that she and Bob use 16 bytes of entropy. This number,N,could be between 1 and 16 bytes. Bob can either accept this,reject this and abort the negotiation,or propose a smaller value. Bob may wish to propose a smaller N value because he(the controller)does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount,Alice can accept it and request to activate link-layer encryption with Bob,which Bob can accept. An attacker,Charlie,could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte,which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob's acceptance message to Alice and change the entropy proposal to 1 byte,which Alice would likely accept,because she may believe that Bob cannot support a larger N. Thus,both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active,without acknowledging or realizing that N is lower than either of them initially intended it to be.
The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.
Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm(specifically,a neural network)to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change most known-malicious files in simple ways that cause the Cylance product to misclassify the file as benign. Several common malware families,such as Dridex,Gh0stRAT,and Zeus,were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85%of malicious files tested. Cylance reports a 50%bypass creation success rate based on internal testing. Either way,attacker effort to find a successful bypass would be low. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware,just appending strings to it. The specific attack reported by Skylight Cyber relies on a particular set of strings used by the Cylance product. Although Cylance used an ensemble model that made some uncommon model design choices to achieve a white-listing functionality,this over-reliance on specific details when classifying a file is an instance of a common weakness in machine learning algorithms. For a comprehensive discussion of attacks on machine learning systems,see Papernot N,McDaniel P,Sinha A,Wellman MP. SoK:Security and privacy in machine learning. IEEE EuroS&P 2018. Because this flaw is an instance of a broader category of weaknesses in machine learning algorithms,we do not expect an easy solution. Cylance describes their response as"three-fold:First,we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second,we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly,we have removed the features in the model that were most susceptible to tampering."This patch should stop the specific keywords used by the Skylight Cyber researchers from allowing an attacker to bypass detection and increase attacker effort required to find similar bypass techniques. However,the method described by the Skylight Cyber researchers to find and recover the features of the Cylance product is likely to enable the recovery of manipulable features from other security products that rely on machine learning. Although Cylance has removed features"most susceptible to tampering,"our understanding of adversarial manipulation of machine learning classifiers in other domains suggests that the remaining features almost certainly provide adequate freedom for tampering. This inference is based on the structural similarity of the Cylance machine learning model(a neural network)to models that have been successfully deceived in the domains of,for example,facial recognition or visual recognition in self-driving cars. There is some evidence that deception remains relatively easy despite the structure of computer network traffic; we are unaware of public evidence as to whether file structure carries the same limitations. This environment is the context behind and likely driver of Cylance's statement that"AI and machine learning models are,by nature,living models. They are designed to evolve and do require periodic retraining and field servicing when appropriate."
The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the current(self)process from modifying itself via/proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.
The stack protection feature provided in the LLVM Arm backend is an optional mitigating feature used to protect against buffer overflows. It works by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie with the LocalStackSlotAllocation function to ensure that it has not changed or been overwritten. If the value has changed,then the function will terminate. Since it currently pre-allocates the stack protector before the local variables in the stack,it's possible that a new stack protector can be allocated later in the process. If that happens,it leaves the stack protection ineffective as the new stack protector slot appears after the local variables that it is meant to protect. Additionally,it is also possible for the stack cookie pointer to spill to the stack and potentially be overwritten. This could happen in an area on the stack before the stack protector slot,rendering it ineffective.
CVE-2019-11477:SACK Panic(Linux>=2.6.29). A sequence of specifically crafted selective acknowledgements(SACK)may trigger an integer overflow,leading to a denial of service or possible kernel failure(panic). CVE-2019-11478:SACK Slowness(Linux<4.15)or Excess Resource Usage(all Linux versions). A sequence of specifically crafted selective acknowledgements(SACK)may cause a fragmented TCP queue,with a potential result in slowness or denial of service. CVE-2019-5599:SACK Slowness(FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm,Recent ACKnowledgment(RACK),uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large,thus consuming CPU or network resources,resulting in slowness or denial of service. CVE-2019-11479:Excess Resource Consumption Due to Low MSS Values(all Linux versions). The default maximum segment size(MSS)is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface,resulting in slowness or denial of service. For detailed descriptions of these vulnerabilities,see: https://github.com/Netflix/security-bulletins/blob/master/advisories/third- party/2019-001.md
In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication Bypass Using an Alternate Path or Channel(CVE-2019-9510) Starting with Windows 10 1803(released in April 2018)and Windows Server 2019,the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect,upon Automatic Reconnection the RDP session will be restored to an unlocked state,regardless of how the remote system was left. For example,consider the following steps: User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP. User locks remote desktop session. User leaves the physical vicinity of the system being used as an RDP client At this point,an attacker can interrupt the network connectivity of the RDP client system. The RDP client software will automatically reconnect to the remote system once internet connectivity is restored. But because of this vulnerability,the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered. Two-factor authentication systems that integrate with the Windows login screen,such as Duo Security MFA,may also bypassed using this mechanism. We suspect that other MFA solutions that leverage the Windows login screen are similarly affected. Any login banners enforced by an organization will also be bypassed. It is important to note that this vulnerability is with the Microsoft Windows lock screen's behavior when RDP is being used,and the vulnerability is present when no MFA solutions are installed. While MFA product vendors are affected by this vulnerability,the MFA software vendors are not necessarily at fault for relying on the Windows lock screen to behave as expected. Note that this vulnerability was originally described as requiring Network Level Authentication(NLA). We have since confirmed that this behavior is present whether or not NLA is enabled. Also,some combinations of RDP clients and Windows versions prior to Windows 10 1803 and Server 2019 may also demonstrate automatic session unlocking upon RDP reconnect. In such cases,neither MFA integrated with the login screen nor login banner displaying is bypassed in our testing. Although these cases are a different issue than VU#576688,the workarounds listed in this vulnerability note should still be applied to prevent these similar symptoms.
Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability,exploitation using the publicly-described technique is limited to files where the current user has write access,in our testing. As such,the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.
CVE-2019-1649:Secure Boot Tampering,also known as Thrangrycat The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array(FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring chain of trust for software. The secure boot can be bypassed by modifying the bitstream of the FPGA,allowing an authenticated,local attacker to make persistent modification to the root of trust for software integrity. CVE-2019-1862:IOS XE Web UI Command Injection The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated,remote attacker to execute commands as root on the underlying Linux shell.
PrinterLogic versions up to and including 22.214.171.124 are vulnerable to multiple attacks. The PrinterLogic agent,running as SYSTEM,does not validate the PrinterLogic Management Portal's SSL certificate,validate PrinterLogic update packages,or sanitize web browser input. CVE-2018-5408:The PrinterLogic Print Management software does not validate,or incorrectly validates,the PrinterLogic management portal's SSL certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. (C WE-295) CVE-2018-5409:PrinterLogic Print Management software updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server,performing DNS spoofing,or modifying the code in transit. (CWE-494) CVE-2019-9505:PrinterLogic Print Management software does not sanitize special characters allowing for remote unauthorized changes to configuration files. (CWE-159)
Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers. Vulnerabilities in the open source brcmfmac driver: CVE-2019-9503:If the brcmfmac driver receives a firmware event frame from a remote source,the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host,the appropriate handler is called. This frame validation can be bypassed if the bus used is USB(for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. CVE-2019-9500:If the Wake-up on Wireless LAN functionality is configured,a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host,or when used in combination with the above frame validation bypass,can be used remotely. NOTE:The brcmfmac driver only works with Broadcom FullMAC chipsets. Vulnerabilities in the Broadcom wl driver: Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point(AP). CVE-2019-9501:By supplying a vendor information element with a data length larger than 32 bytes,a heap buffer overflow is triggered in wlc_wpa_sup_eapol. CVE-2019-9502:If the vendor information element data length is larger than 164 bytes,a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. NOTE:When the wl driver is used with SoftMAC chipsets,these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used,these vulnerabilities would be triggered in the chipset's firmware.
CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous"implementation"vulnerabilities may involve modifying the protocol. WPA3 uses Simultaneous Authentication of Equals(SAE),also known as Dragonfly Key Exchange,as the initial key exchange protocol,replacing WPA2's Pre-Shared Key(PSK)protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components,as implemented with Extensible Authentication Protocol Password(EAP-PWD)and SAE,are vulnerable as follows: CVE-2019-9494:SAE cache attack against ECC groups(SAE side-channel attacks)- CWE-208 and CWE-524 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. CVE-2019-9495:EAP-PWD cache attack against ECC groups(EAP-PWD side-channel attack)- CWE-524 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. Versions of hostapd and wpa_supplicant versions 2.7 and earlier,with EAP-PWD support are vulnerable. CVE-2019-9496:SAE confirm missing state validation - CWE-642 An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. CVE-2019-9497:EAP-PWD reflection attack(EAP-PWD missing commit validation)- CWE-301 The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9498:EAP-PWD server missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in hostapd EAP Server,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9499:EAP-PWD peer missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in wpa_supplicant EAP Peer,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit.
Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0- CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier The following products and versions store the cookie insecurely in memory: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 - CVE-2019-11213:Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier - Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable,please contact CERT/CC at firstname.lastname@example.org with the affected products,version numbers,patch information,and self-assigned CVE.
Twitter said Friday it has closed down thousands of accounts across the world for spreading fake news as well as pro-government propaganda, including in places like the United Arab Emirates, China and Spain.
Researchers at breach and attack simulation firm SafeBreach discovered that the Forcepoint VPN Client for Windows is affected by a vulnerability that can be exploited to escalate privileges and for other purposes.
France has not changed its mind on rejecting any asylum request from US surveillance whistleblower Edward Snowden, its foreign minister said Thursday, after the former CIA employee said he would like sanctuary in the country.
VMware this week patched code execution, command injection, information disclosure and denial-of-service (DoS) vulnerabilities in its ESXi, vCenter Server, Workstation, Fusion, VMRC and Horizon Client products.
A key Senate panel on Thursday approved $250 million to help states beef up their election systems, freeing up the money after Senate Majority Leader Mitch McConnell came under criticism from Democrats for impeding separate election security legislation.
Since the start of September 2019 we’ve seen some major attacks, including a Facebook data leak which exposed more than 400 million telephone numbers and an Android software vulnerability which revealed devices were susceptible to SMS-based attacks that could change device settings remotely.
A recently observed phishing campaign is targeting taxpayers in the United States in an attempt to infect their machines with a piece of malware named Amadey, Cofense security researchers have discovered.