Security News

 Vulnerability News SecurityWeek Feed
  • VU#125336: Microsoft Office for Mac cannot properly disable XLM macros

    XLM macros Up to and including Microsoft Excel 4.0,a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems,however current Microsoft Office versions still support XLM macros. SYLK and XLM macros XLM macros can be incorporated into SYLK files,as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet. SYLK and XLM macros with Microsoft Office for Mac It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post,Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files. The Problem If Office for the Mac has been configured to use the"Disable all macros without notification"feature,XLM macros in SYLK files are executed without prompting the user. We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems.
  • VU#766427: Multiple D-Link routers vulnerable to remote command execution

    Several D-Link routers contain CGI capability that is exposed to users as/apply_sec.cgi,and dispatched on the device by the binary/www/cgi/ssi. This CGI code contains two flaws: The/apply_sec.cgi code is exposed to unauthenticated users. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters. Any arguments after a newline character sent as ping_ipaddr in a POST to/apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable: DIR-655 DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825 We have made a proof-of-concept exploit available,which will disable network connectivity for one minute on affected devices.
  • VU#927237: Pulse Secure VPN contains multiple vulnerabilities

    Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24,2019. This addressed a number of vulnerabilities including a Remote Code Execution(RCE)vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The CVE-2019-11510 has a CVSS score of 10. The CVEs listed in the advisory are: CVE-2019-11510 - Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. CVE-2019-11509 - Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. CVE-2019-11508 - A vulnerability in the Network File Share(NFS)of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. CVE-2019-11507 - A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure(PCS)8.3.x before 8.3R7.1,and 9.0.x before 9.0R3. CVE-2019-11543 - A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure(PCS)9.0RX before 9.0R3.4,8.3RX before 8.3R7.1,and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2,5.4RX before 5.4R7.1,and 5.2RX before 5.2R12.1. CVE-2019-11542 - Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. CVE-2019-11541 - Users using SAML authentication with Reuse Existing NC(Pulse)Session option may see authentication leaks CVE-2019-11540 - A vulnerability in the Pulse Secure could allow an unauthenticated,remote attacker to conduct a(end user)session hijacking attack. CVE-2019-11539 - Authenticated attacker via the admin web interface allow attacker to inject and execute command injection CVE-2019-11538 - A vulnerability in the Network File Share(NFS)of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. Exploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510,as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication(2FA)to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication,CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in/data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker,attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering(EOE)and End of Life(EOL),we highly recommend replacement of the VPN appliance entirely without any delay - please check Pulse Secure advisory for this information. Timelines of specific events: March 22,2019–Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure April 24,2019 - Initial advisory posted and software updates posted by Pulse Secure to the Download Center April 25,2019–Assignment of CVE-2019-11510,CVE-2019-11509,CVE-2019-11508,CVE-2019-11507,CVE-2019-11543,CVE-2019-11542,CVE-2019-11541,CVE-2019-11540,CVE-2019-11539,CVE-2019-11538 April 26,2019 - Workaround provided for CVE-2019-11508 about disabling file sharing as a mitigation May 28 2019–Large commercial vendors get reports of vulnerable VPN through HackerOne July 31 2019–Full RCE use of exploit demonstrated using the admin session hash to get complete shell August 8 2019 - Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors(Pulse Secure)with detailed attack on active VPN exploitation August 24,2019–Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade October 7,2019–NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors
  • VU#763073: iTerm2 with tmux integration is vulnerable to remote command execution

    iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability,identified as CVE-2019-9535,exists in the way that iTerm2 integrates with tmux's control mode,which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.
  • VU#719689: Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal

    The Cobham EXPLORER 710 is a portable satellite terminal used to provide satellite telecommunications and internet access. For consistency,“device” mentioned in the following section is defined as the Cobham EXPLORER 710. The affected firmware version is 1.07 for all of the vulnerabilities listed below unless otherwise noted. CVE-2019-9529 The web application portal has no authentication by default. This could allow an unauthenticated,local attacker connected to the device to access the portal and to make any change to the device. CVE-2019-9530 The web root directory has no access restrictions on downloading and reading all files. This could allow an unauthenticated,local attacker connected to the device to access and download any file found in the web root directory. CVE-2019-9531 The web application portal allows unauthenticated access to port 5454 on the device. This could allow an unauthenticated,remote attacker to connect to this port via Telnet and execute 86 Attention(AT)commands,including some that provide unauthenticated,shell-like access to the device. CVE-2019-9532 The web application portal sends the login password in cleartext. This could allow an unauthenticated,local attacker to intercept the password and gain access to the portal. CVE-2019-9533 The root password for the device is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device. CVE-2019-9534 The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated,local attacker to upload their own firmware that could be used to intercept or modify traffic,spoof or intercept GPS traffic,exfiltrate private data,hide a backdoor,or cause a denial-of-service. The CVSS score below reflects the score for this CVE in particular. In addition to the findings above,we have found some configuration issues within the device that can leave it vulnerable to attackers. The default WiFi password is publicly documented as the serial number of the device and can be easily brute forced. Additionally,important security headers are missing,which leaves the device vulnerable to cross-site scripting and clickjacking.
  • VU#672565: Exim fails to properly handle trailing backslashes in string_interpret_escape()

    Exim is a message transfer agent(MTA)that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape()function,which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '\' character,the vulnerable string_interpret_escape()function will interpret the string-terminating null byte as a value to be escaped,thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way,this out-of-bounds pointer can be leveraged to cause a heap overflow. Exim installations configured to allow TLS connections,which can happen either via the SMTP STARTTLS command or via TLS-on-connect,can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.
  • VU#918987: Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

    Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two Bluetooth devices must pair with each other and establish a link key that is used to generate the encryption key. For example,assume that there are two controllers attempting to establish a connection:Alice and Bob. After authenticating the link key,Alice proposes that she and Bob use 16 bytes of entropy. This number,N,could be between 1 and 16 bytes. Bob can either accept this,reject this and abort the negotiation,or propose a smaller value. Bob may wish to propose a smaller N value because he(the controller)does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount,Alice can accept it and request to activate link-layer encryption with Bob,which Bob can accept. An attacker,Charlie,could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte,which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob's acceptance message to Alice and change the entropy proposal to 1 byte,which Alice would likely accept,because she may believe that Bob cannot support a larger N. Thus,both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active,without acknowledging or realizing that N is lower than either of them initially intended it to be.
  • VU#605641: HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

    The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.
  • VU#489481: Cylance Antivirus Products Susceptible to Concatenation Bypass

    Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm(specifically,a neural network)to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change most known-malicious files in simple ways that cause the Cylance product to misclassify the file as benign. Several common malware families,such as Dridex,Gh0stRAT,and Zeus,were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85%of malicious files tested. Cylance reports a 50%bypass creation success rate based on internal testing. Either way,attacker effort to find a successful bypass would be low. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware,just appending strings to it. The specific attack reported by Skylight Cyber relies on a particular set of strings used by the Cylance product. Although Cylance used an ensemble model that made some uncommon model design choices to achieve a white-listing functionality,this over-reliance on specific details when classifying a file is an instance of a common weakness in machine learning algorithms. For a comprehensive discussion of attacks on machine learning systems,see Papernot N,McDaniel P,Sinha A,Wellman MP. SoK:Security and privacy in machine learning. IEEE EuroS&P 2018. Because this flaw is an instance of a broader category of weaknesses in machine learning algorithms,we do not expect an easy solution. Cylance describes their response as"three-fold:First,we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second,we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly,we have removed the features in the model that were most susceptible to tampering."This patch should stop the specific keywords used by the Skylight Cyber researchers from allowing an attacker to bypass detection and increase attacker effort required to find similar bypass techniques. However,the method described by the Skylight Cyber researchers to find and recover the features of the Cylance product is likely to enable the recovery of manipulable features from other security products that rely on machine learning. Although Cylance has removed features"most susceptible to tampering,"our understanding of adversarial manipulation of machine learning classifiers in other domains suggests that the remaining features almost certainly provide adequate freedom for tampering. This inference is based on the structural similarity of the Cylance machine learning model(a neural network)to models that have been successfully deceived in the domains of,for example,facial recognition or visual recognition in self-driving cars. There is some evidence that deception remains relatively easy despite the structure of computer network traffic; we are unaware of public evidence as to whether file structure carries the same limitations. This environment is the context behind and likely driver of Cylance's statement that"AI and machine learning models are,by nature,living models. They are designed to evolve and do require periodic retraining and field servicing when appropriate."
  • VU#790507: Oracle Solaris vulnerable to arbitrary code execution via /proc/self

    The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the current(self)process from modifying itself via/proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.
  • VU#129209: LLVMs Arm stack protection feature can be rendered ineffective

    The stack protection feature provided in the LLVM Arm backend is an optional mitigating feature used to protect against buffer overflows. It works by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie with the LocalStackSlotAllocation function to ensure that it has not changed or been overwritten. If the value has changed,then the function will terminate. Since it currently pre-allocates the stack protector before the local variables in the stack,it's possible that a new stack protector can be allocated later in the process. If that happens,it leaves the stack protection ineffective as the new stack protector slot appears after the local variables that it is meant to protect. Additionally,it is also possible for the stack cookie pointer to spill to the stack and potentially be overwritten. This could happen in an area on the stack before the stack protector slot,rendering it ineffective.
  • VU#905115: Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

    CVE-2019-11477:SACK Panic(Linux>=2.6.29). A sequence of specifically crafted selective acknowledgements(SACK)may trigger an integer overflow,leading to a denial of service or possible kernel failure(panic). CVE-2019-11478:SACK Slowness(Linux<4.15)or Excess Resource Usage(all Linux versions). A sequence of specifically crafted selective acknowledgements(SACK)may cause a fragmented TCP queue,with a potential result in slowness or denial of service. CVE-2019-5599:SACK Slowness(FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm,Recent ACKnowledgment(RACK),uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large,thus consuming CPU or network resources,resulting in slowness or denial of service. CVE-2019-11479:Excess Resource Consumption Due to Low MSS Values(all Linux versions). The default maximum segment size(MSS)is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface,resulting in slowness or denial of service. For detailed descriptions of these vulnerabilities,see: party/
  • VU#576688: Microsoft Windows RDP can bypass the Windows lock screen

    In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication Bypass Using an Alternate Path or Channel(CVE-2019-9510) Starting with Windows 10 1803(released in April 2018)and Windows Server 2019,the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect,upon Automatic Reconnection the RDP session will be restored to an unlocked state,regardless of how the remote system was left. For example,consider the following steps: User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP. User locks remote desktop session. User leaves the physical vicinity of the system being used as an RDP client At this point,an attacker can interrupt the network connectivity of the RDP client system. The RDP client software will automatically reconnect to the remote system once internet connectivity is restored. But because of this vulnerability,the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered. Two-factor authentication systems that integrate with the Windows login screen,such as Duo Security MFA,may also bypassed using this mechanism. We suspect that other MFA solutions that leverage the Windows login screen are similarly affected. Any login banners enforced by an organization will also be bypassed. It is important to note that this vulnerability is with the Microsoft Windows lock screen's behavior when RDP is being used,and the vulnerability is present when no MFA solutions are installed. While MFA product vendors are affected by this vulnerability,the MFA software vendors are not necessarily at fault for relying on the Windows lock screen to behave as expected. Note that this vulnerability was originally described as requiring Network Level Authentication(NLA). We have since confirmed that this behavior is present whether or not NLA is enabled. Also,some combinations of RDP clients and Windows versions prior to Windows 10 1803 and Server 2019 may also demonstrate automatic session unlocking upon RDP reconnect. In such cases,neither MFA integrated with the login screen nor login banner displaying is bypassed in our testing. Although these cases are a different issue than VU#576688,the workarounds listed in this vulnerability note should still be applied to prevent these similar symptoms.
  • VU#877837: Multiple vulnerabilities in Quest Kace System Management Appliance

    CVE-2018-5404:The Quest Kace System Management(K1000)Appliance allows an authenticated,remote attacker with least privileges('User Console Only' role)to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89) CVE-2018-5405:The Quest Kace System Management(K1000)Appliance allows an authenticated least privileged user with‘User Console Only’rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) CVE-2018-5406:The Quest Kace System Management(K1000)Appliance allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing(CORS)mechanism. An unauthenticated,remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. (CWE-284)
  • VU#119704: Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability

    Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability,exploitation using the publicly-described technique is limited to files where the current user has write access,in our testing. As such,the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.