The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.
Featured this month: A WebEx vulnerability that allows a remote attacker to execute code on the machine, a LibSSH authentication vulnerability that allows a remote attacker to authenticate without valid credentials, 3 vulnerabilities in a number of D-Link routers which combine to allow a remote attacker to take over a device, a number of new Drupal code execution vulnerabilities and a Windows zero-day vulnerability. Recent breaches include Cathay Pacific and iNet and in security news, the Californian government has passed a bill to mandate manufacturers improve passwords on IoT devices.
Current Threats and Exploits
- WebEx Remote Code Execution Vulnerability:
A vulnerability with Cisco Software’s Web meeting/presentation client, WebEx Client, has been discovered that would allow a remote attacker to execute code remotely on the machine.
We recommend that users patch their WebEx Client Software to version 33.6.0 to prevent the usage of this vulnerability. (1)
- LibSSH Authentication Vulnerability:
A new vulnerability has been discovered in the LibSSH package, which is used to add support for SSH to devices. The vulnerability, assigned CVE 2018-10933, allows a remote attacker to present the server with a successful authentication message (SSH2_MSG_USERAUTH_SUCCESS) upon connecting and the server will accept the message. As a result, the attacker can easily become authenticated to the device without needing to present valid credentials. The vulnerability is reported to exist in all versions of LibSSH after 0.6.
Users of LibSSH are advised to upgrade to the latest versions, 0.8.4 and 0.7.6, which have been fixed to remove the authentication flaw.(2)
- D-Link Routers Vulnerable External Control:
Security researchers have identified three vulnerabilities in a number of D-Link routers which, when combined, allow a remote attacker to take control of the device. The first vulnerability allows an unauthenticated attacker to browse the file system of the router to obtain the password file. The second vulnerability results in the password file they obtain being stored in cleartext, giving them access to the raw passwords. Finally, the authenticated attacker can execute arbitrary code on the device, through the Web interface. As an attacker can obtain the raw passwords using the first two vulnerabilities, they can take over the device. D-Link was informed of the vulnerability back in May this year, however they have failed to release any patches.
It is strongly advised that anyone using D-Link routers ensures they are not configured to allow access to their Web interface from the Internet. (3)
- More Drupal Code Execution Vulnerabilities:
A number of new remote code execution vulnerabilities have been discovered in the Drupal content management system. One of the most critical vulnerabilities exists in the default mail backend, which does not check for shell arguments when processing emails, allowing them to be executed on the server.
Users should ensure that Drupal 7 is updated to version 7.60, Drupal 8.5 is updated to version 8.5.2 and Drupal 8.6 is updated to version 8.6.2. Additionally, any versions of Drupal 8 before version 8.5 are no longer supported and, therefore, will not receive the security updates. (4)
- Windows 10/Server 2016/Server 2019 Microsoft Data Sharing Zero-day Vulnerability:
A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. Proof of Concept (PoC) code for this vulnerability was also published on GitHub, which can be used to delete crucial Windows files and cause the operation system to crash. The vulnerability affects the local Microsoft Data Sharing service (dssvc.dll), present in recent versions of Windows OS, such as Windows 10 (all versions patched with latest October 2018 update), Windows Server 2016 and Windows Server 2019. An attacker, who already has access to the system, can exploit this vulnerability to elevate their privileges allowing them to delete files that normally can only be deleted by admins and take further actions with appropriate modification on the PoC.
Microsoft is currently working on a fix for this vulnerability. In the meantime, we recommend following best practice security practices and to be vigilant for anomalous activity. (5)
A data breach at Cathay Pacific Airways has prompted calls to review Hong Kong’s breach disclosure rules.
- Cathay Pacific Major Data Breach:
The Hong Kong flight carrier Cathay Pacific has suffered a major data breach, in which cybercriminals had accessed the personal data of over 9.4 million passengers. The breach exposed private details, including passenger names, nationalities, dates of birth, phone numbers and email addresses. Cybercriminals have also compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, has pledged legal help for affected customers. Cathay Pacific and IT experts have recommended that passengers are vigilant for suspicious emails or account activity, as they anticipate phishing activities following the leak. (6)
- Leaky Amazon S3 Bucket causes Washington ISP Customer data to be Exposed:
Washington Internet Service Provider Pocket iNet has had over 73GB’s of data publicly exposed due to a misconfigured Amazon S3 Bucket. The exposed data includes plaintext passwords and AWS secret keys for Pocket iNet employees, internal diagrams of their infrastructure, details of configuration, inventory lists and photographs of their equipment. It also exposed priority customer details using the service.
This type of breach can be mitigated by setting up a policy to check Amazon S3 Bucket configurations, as well as making sure buckets aren’t public facing. (7)
- California passes Bill on IoT Device Security:
The Californian government has passed legislation that bans the use of default weak passwords on IoT devices. Device manufacturers must ensure that IoT devices have a unique default password or a password that changes on the first authentication attempt.
This should assist in device security, preventing these devices from being compromised by the use of hardcoded and default credentials. (8)
- WebExec FAQ
- Hacker: I’m logged in. New LibSSH Vulnerability: OK! I believe you.
- SecLists.Org Security Mailing List Archive
- Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006
- Microsoft Windows zero-day disclosed on Twitter, again
- Hong Kong police visit Cathay Pacific HQ to investigate major data breach that hit 9.4 million customers
- Out of Pocket: How an ISP Exposed Administrative System Credentials
- California outlaws poor default passwords in connected devices
This Information Security Report is brought to you by Shearwater Solutions.
Whatever your Information Security challenge, we’re here to help you find the right solution.