Vol. 12, Num. 48
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 11/21/2012 - 11/28/2012
issue, with a pair of vendors claiming a massive cache of 0-day remote
code execution bugs in a variety of product suites. Details are sketchy
at best for the time being, but users of potentially impacted software
are urged to work with ICS-CERT and their vendor(s) to resolve the
problems as soon as information about these exploits surfaces.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Multiple SCADA 0-Day Remote Exploits
Description: Responding to claims by Maltese security firm ReVuln that
it had discovered multiple remotely exploitable bugs in different SCADA
systems, but would not be supplying details of the bugs to impacted
vendors, reverse-engineering firm Exodus Intel has provided details of
23 distinct SCADA vulnerabilities - including a number of remote code
execution bugs - to ICS-CERT, the US government organization
specifically in charge of SCADA security. While no details of either set
of vulnerabilities has been released to date, users of potentially
impacted software are urged to contact ICS-CERT for mitigation
information as soon as possible, and to work with their vendors to patch
promptly once updates become available.
Reference:
http://blog.exodusintel.com/2012/11/25/what-does-a-flightless-bird-and-scada-software-have-in-common/
Snort SID: N/A
ClamAV: N/A
Title: Samsung Printer Backdoor Account
Description: Network-aware printers manufactured by Samsung before
October 31, 2012 (including some Dell printers actually built by
Samsung) have a hard-coded SNMP read-write community string, which
enables full administrative access to the device - even when SNMP has
been disabled by the user. A patch is currently being developed by
Samsung; in the interim, users should consider blocking all SNMP traffic
to impacted printers, which likely contain sensitive information that
could be used by an attacker or industrial spy.
Reference:
http://www.kb.cert.org/vuls/id/281284
http://l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor
Snort SID: 24814
ClamAV: N/A
Title: Invision IP Board Remote Code Execution
Description: A problem handling PHP serialized code in certain cookie
values leads to trivial remote code execution in the Invision IP Board
system, a popular web forum. Exploits have been released in Metasploit
and elsewhere, and attacks are presumed to be occurring in the wild.
Impacted users should patch their systems immediately.
Reference:
http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/
http://www.metasploit.com/modules/exploit/unix/webapp/invision_pboard_unserialize_exec
Snort SID: 24804
ClamAV: N/A
Title: Lighttpd Web Server Denial of Service
Description: A trivially exploitable denial-of-service attack was
recently discovered in the popular Lighttpd web server, known for its
small footprint and ease of deployment on resource-constrained systems.
Users with simple HTTP request creation tools can easily exploit this
vulnerability to take sites offline. Impacted users are urged to patch
immediately.
Reference:
http://www.lighttpd.net/2012/11/21/1-4-32/
Snort SID: 24805
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
DreamHost breached, server and client information leaked:
http://www.cyberwarnews.info/2012/11/24/dreamhost-breached-server-client-information-leaked/
ROP and roll:
http://www.insomniasec.com/publications/Kiwicon%202012%20Rop%20and%20Roll.pdf
Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits, malware:
http://blog.webroot.com/2012/11/27/bogus-facebook-pending-notifications-themed-emails-serve-client-side-exploits-and-malware/
Life of an instruction in LLVM:
http://eli.thegreenplace.net/2012/11/24/life-of-an-instruction-in-llvm/
Confidential police docs found in Macy’s Day Parade confetti:
http://www.wpix.com/news/wpix-confidential-confetti-at-thanksgiving-parade,0,4718007.story
Hacked GoDaddy sites infecting users with ransomware:
http://nakedsecurity.sophos.com/2012/11/23/hacked-go-daddy-ransomware/
The business of commercial exploit development:
http://www.darkreading.com/blog/240142392/the-business-of-commercial-exploit-development.html
Hacker selling $700 exploit that hijacks Yahoo accounts:
http://nakedsecurity.sophos.com/2012/11/26/hacker-selling-yahoo-exploit/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: : CVE-2012-3752
Title: Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack
Buffer Overflow
Vendor: Apple
Description: Multiple buffer overflows in Apple QuickTime before 7.7.3
allow remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted style element in a QuickTime
TeXML file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)
ID: : CVE-2012-4956
Title: Novell File Reporter Vulnerabilities
Vendor: Novell
Description: Heap-based buffer overflow in NFRAgent.exe in Novell File
Reporter 1.0.2 allows remote attackers to execute arbitrary code via a
large number of VOL elements in an SRS record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-2897
Title: Microsoft Windows Kernel TrueType Font Integer Underflow Vulnerability
Vendor: Microsoft
Description: The kernel-mode drivers in Microsoft Windows XP SP2 and
SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008
SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server
2012, and Windows RT, as used by Google Chrome before 22.0.1229.79 and
other programs, do not properly handle objects in memory, which allows
remote attackers to execute arbitrary code via a crafted TrueType font
file, aka “Windows Font Parsing Vulnerability” or “TrueType Font Parsing
Vulnerability.”
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-0507
Title: Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30
and earlier, and 5.0 Update 33 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown vectors
related to Concurrency.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 11/21/2012 - 11/28/2012 COMPILED BY SOURCEFIRE
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: ngud.exe
Claimed Product: ngud.exe
Claimed Publisher: ngud.exe
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal: https://www.virustotal.com/file/AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/
Typical Filename: 3291e1603715c47a23b60a8bf2ca73db
Claimed Product: 3291e1603715c47a23b60a8bf2ca73db
Claimed Publisher: 3291e1603715c47a23b60a8bf2ca73db
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services