Tag Archives: remote code execution

Adobe Issues Critical Photoshop CC Security Updates

On Wednesday Adobe made available an out of band (un-scheduled) emergency update available for Photoshop CC for both Apple macOS and Windows systems.

Photoshop CC 2018 (versions 19.1.5 and earlier) and Photoshop 2017 (versions 18.1.5 and earlier) are affected by two critical memory corruption vulnerabilities. If an attacker were to exploit these they could achieve remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device). The vulnerabilities were responsibly disclosed (defined) by Kushal Arvind Shah of Fortinet’s FortiGuard Labs to Adobe.

Please follow the steps within Adobe’s security bulletin to install the applicable updates as soon as possible if you use these products.

Thank you.

Apache Foundation Patches Critical Struts Vulnerability

Earlier this week the Apache Software Foundation made available patches for Apache Struts (a web application framework (defined)) bringing the applications active development branches to version 2.3.35 and 2.5.17. These versions addresses a remote code execution vulnerability (defined: the ability for an attacker to remotely carry out any action of their choice on your device) known as CVE-2018-11776. This vulnerability was responsibly disclosed (defined) by the security researcher; Man Yue Mo.

Why should this vulnerability be considered important?
A data breach at the credit rating agency Equifax last year occurred in part due to their lack of patching their affected web servers. The vulnerability resolved this week can be exploited by an attacker simply by visiting specifically crafted URL (defined) on the affected web server (defined). Once exploited the server can be completely under the attacker’s control.

Typically within days of a vulnerability being disclosed; attackers begin to target and exploit it. Compromised are web servers (which are already public facing and can be located using Shodan) can be used as an entry point into other areas of your corporate network. Any application making use of the Struts framework is vulnerable regardless if those applications use plugins.

How to tell if your installation of Apache Struts is vulnerable?
Your Apache Struts is vulnerable if both of the conditions listed below are true (my thanks to this Semmle blog post for this information):

=====================

  1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

=====================

How can I protect my web servers from this vulnerability?
Depending upon which version of Apache Struts your web server is using; please upgrade to version 2.3.35 or 2.5.17 as soon as possible.

Thank you.

Valve Resolves Steam Gaming Client Vulnerability

The games company Valve Corporation known primarily for their gaming client Steam have updated it to resolve a critical vulnerability which has been inadvertently present within Steam for the last 10 years.

Why should this vulnerability be considered important?
Due to the many millions of Steam users and the fact this vulnerability is remotely exploitable (since the attacker does not need to first have access to the victim system) makes this vulnerability more serious. An attacker would only have needed to send malformed UDP (defined) packets to a victim system for it to have Steam carry out instructions of their choice.

This vulnerability was a buffer overflow (defined) within one of Steam’s internal libraries (the general concept of a code library is defined here); more specifically code that dealt with UDP datagram reassembly.

How can I protect myself from this vulnerability?
In July 2017, the Steam client added Address Space Layout Randomisation (ASLR)(defined) making exploitation of the vulnerability more difficult which would then only crash the Steam client. If however an attacker combined an information leak which exposed the memory address of vulnerable library, even with ASLR enabled the result would have been the same.

Valve patched this vulnerability on April 4th. The Steam client by default updates automatically. Please open it and allow it to update to resolve this vulnerability.

Thank you.

Large Numbers of Email Servers Need to be Patched

Earlier this week; a patch for a potentially serious security vulnerability was made available. This vulnerability affects the Exim Mail Transfer Agent (MTA)(defined).

Details of the vulnerability were privately disclosed (defined) to the application vendor Exim by a security researcher Meh Chang from security firm Devcore Security Consulting in early February.

Why should this vulnerability be considered important?
Due to the pervasiveness of this software across the wider internet and the potential impact an exploit for this issue could have; if you are using the Exim Mail Transfer Agent software within your organisation, it may be at risk of exploitation with the potential for an attacker to achieve remote code execution (RCE)(defined: the ability for an attacker to remotely carry out any action of their choice on your device).

The number of affected MTA server around the world range from 400k, 1.9 million up to approximately 3.8 million (from Shodan (defined).

While the proof of concept (PoC)(defined) exploit for this vulnerability (a one byte buffer overflow (defined) is not trivial (described as “difficult” by the vendor) attackers are likely to try to exploit it given the wide impact it could have if successful.

How can I protect myself from this vulnerability?
Please update any Exim Mail Transfer Agent (MTA) server to version 4.90.1 A useful FAQ which may assist is located here with a wider set of FAQs located here.

Thank you.

BlueBorne : Bluetooth Vulnerability Explained

Researchers from the security firm Armis have discovered a set of eight security vulnerabilities within the Bluetooth (defined) communications technology and responsibly disclosed (defined) them to affected device manufacturers. These are not present in the protocol layer of Bluetooth but within the implementation layer of Bluetooth which “bypasses the various authentication mechanisms, and enabling a complete takeover of the target device” (source). An estimated 5.3 billion devices are thought to be vulnerable ranging from computers tablets, smartphone, TVs, watches to Internet of Things (IoT) (defined) medical devices. This set of vulnerabilities is known as “BlueBorne”.

What is BlueBorne and why is it important?
Exploitation of the BlueBorne vulnerabilities allows the complete compromise of the vulnerable device and does not require the vulnerable device be paired (defined) with the attacking device.

Once exploited the vulnerabilities allow the attacker to conduct remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device)) and man in the middle attacks (defined). To begin the attack, the attacker does not need for the user of the vulnerable device to have taken any action.

These vulnerabilities are particularly severe since Bluetooth is less secured on a corporate network than for example, the proxy server (defined) providing internet access making spreading from advice to device in a worm (defined) like fashion (theoretically) possible. The Bluetooth protocol often runs with high privilege on devices and is not usually considered a potential entry point into a network. Air gapped systems (defined) are also potentially vulnerable.

How can I protect myself from these issues?
Software updates for some devices are listed here (for Google, Linux and Microsoft devices). Recent Apple devices were found not to be vulnerable. A full list of affected devices and the software updates to protect them are listed here and will be updated by Armis.

For users of Google Android devices, they can check if their device is vulnerable by downloading the BlueBorne Android app. Disabling Bluetooth if you are not using it and only leaving it enabled for the time you are using it are also good security practices. Once your devices are updated, you should be able to resume normal Bluetooth usage. Please not that not all devices will or can be updated due to end of support lifecycles, newer products and product limitations. It is estimated approximately 2 billion devices will not receive software updates to resolve these issues.

Thank you.