CYBAZE-News

Expert discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, it could be exploited by an attacker in a MiTM position to execute arbitrary code as root on a machine and install any package.

“I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” reads a blog post published by
Justicz.

“The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.”

Vulnerable versions of APT fail in sanitizing certain parameters during HTTP redirects and a remote man-in-the-middle attacker could to inject malicious content and trick the system into installing tainted packages.

While using apt-get command, HTTP redirects allow Linux systems to automatically request packages from a mirror server when others are unavailable. When the first server is not able to provide the package, it respond by providing the next suitable server.

“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection.” reads the Debian Security Advisory “This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.”

The expert published a video PoC that shows an attacker intercepting HTTP traffic between APT package manager and a mirror server, or a rogue mirror, and replace the legitimate package with a malicious one.

https://justi.cz/assets/aptpoc.mp4

According to Justicz, the flaw could affect all package downloads, including packages installed by the user for the first time.

Linux APT package manager

In order to mitigate this flaw, it is possible to implement HTTPS that could prevent exploitation of the vulnerability.

“Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so. I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.” wrote the expert.

APT maintainers quickly patched the CVE-2019-3462 vulnerability with the release of version 1.4.9, Linux users must update their systems as soon as possible.

Pierluigi Paganini

(SecurityAffairs – Linux distribution, APT package manager)

The post Critical flaw in Linux APT package manager could allow remote hack appeared first on Security Affairs.

Adobe released security updates to address multiple XSS vulnerabilities in the Experience Manager and Experience Manager Forms that can lead to information disclosure.

Adobe released security updates for the Experience Manager and Experience Manager Forms to address flaws that can lead to information disclosure.

The Experience Manager is affected by a storedcross-site scripting (XSS) issue and a reflected XSS issue.

The former is rated as ‘important’ severity, the latter as ‘moderate’ severity, both can result in the exposure of sensitive data. .

“Adobe has released security updates for Adobe Experience Manager. These updates resolve one reflected cross-site scripting vulnerability rated Moderate, and one stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure. ” reads the security advisory published by Adobe.

The good news is that Adobe is not aware of threat actors attempting to exploit these vulnerabilities in the wild. Anyway, the tech giant is urging administrator to install the updates within 30 days.

Adobe also addressed a stored XSS vulnerability in the Experience Manager Forms, the bug was discovered by the security researchers Adam Willard.

“Adobe has released security updates for Adobe Experience Manager Forms. These updates resolve a stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure.” reads the security advisory.

The company addressed other issues in its products in January; the company Patch Tuesday security updates for January 2019 fixed two flaws rated as “important” in the Connect and Digital Editions products.

The first Adobe security updates for 2019 addressed two critical vulnerabilities in the Acrobat and Reader products.

Pierluigi Paganini

(SecurityAffairs – Adobe, XSS)

The post Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure appeared first on Security Affairs.

Data belonging to online casinos found exposed online on unprotected Elastic search instance, it includes info on 108 million bets and user details

Data breaches are an ordinary issue, this time an online casino group leaked information about 108 million bets including user details.

Leaked data includes personal information and payment card details, including real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games, deposits, and withdrawals.

online casinos-player-info
Source ZDNet

According to ZDNet, that first reported the news, data was stored in an ElasticSearch server exposed online without a password.

ElasticSearch instances are normally installed on internal networks, but sometimes misconfigured systems are exposed online.

The leaked data were discovered by the security researcher Justin Paine that spotted the unsecured ElasticSearch server that was containing data apparently from an online betting portal.

The data appears to be the result of aggregation from multiple web domains.

“Despite being one server, the ElasticSearch instance handled a huge swathe of information that was aggregated from multiple web domains, most likely from some sort of affiliate scheme, or a larger company operating multiple betting portals.states ZDNet.

“After an analysis of the URLs spotted in the server’s data, Paine and ZDNet concluded that all domains were running online casinos where users could place bets on classic cards and slot games, but also other non-standard betting games.”

All the domains present in the data leak belong to online casinos (i.e.
kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net), some of them were no standard betting games.

All the companies involved in the data leak are located in the same building in Limassol, Cyprus, or were operating under the same eGaming license number issued by the government of Curacao, a circumstance that suggest they were operated by the same entity.

According to the expert, the huge archive was not containing full financial details, but ZDNet pointed out anyone who found the database would have known the personal information of players who recently won large sums of money and could use them to carry out malicious activities against these users, including scams or extortion attempts.

“It’s down finally. Unclear if the customer took it down or if OVH firewalled it off for them,” Paine told ZDNet.

Pierluigi Paganini

(SecurityAffairs – data leak, online casinos)

The post Did you win at online casinos? Watch out, your data might have had exposed online appeared first on Security Affairs.

The French data protection watchdog CNIL announced a fine of 50 million euros ($57 million) for US search giant Google under GDPR.The French data protection watchdog CNIL announced a fine of 50 million euros ($57 million) for US search giant Google under GDPR.

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” reads the press release published by the CNIL.

The investigation conducted by the French watchdog was started with two complaints against Google by the non-profit organizations None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
Both organizations filed a complaint against Facebook in May.

The CNIL condemned Google for the violation of transparency and consent rules under the EU GDPR,

The search engine giant made it difficult for its users to find and manage preferences on data processing purposes, data retention, in particular with regards to targeted advertising.

Google has intentionally disseminated this information among too many documents, access them required up to 6 separate actions.

Anyway, the CNIL confirmed that that information is “not always clear nor comprehensive.”

“Moreover, the restricted committee observes that some information is not always clear nor comprehensive.” continues the press release.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent and not the legitimate interest of the company.”

Google French watchdog

Google was also condemned because it does not obtain its user’s explicit consent to process data for targeted advertising.

the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).”

The French watchdog also noted that before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to proceed with the operation. But in this way, the user gives his full consent for all the processing operations purposes carried out by GOOGLE, including ads personalization, speech recognition. However, the GDPR provides that the consent must be explicit and “specific” for each purpose, broader consent is not allowed.

Are 50 euros million a big fine?

Absolutely no in comparison to the fines allowed by GDPR that could be also of 4 percent of the company’s annual global revenue.

Google has contested the decision of the French watchdog, it said that it should not apply only to the global Google.com domain.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.” reads a statement issued by the company.

Pierluigi Paganini

(SecurityAffairs – French watchdog, Google)

The post France watchdog fines Google with $57 million under the EU GDPR appeared first on Security Affairs.

A rogue MySQL server could be used to steal files from clients due to a design flaw in the popular an open source relational database management system (RDBMS).

The flaw resides in the file transfer process between a client host and a MySQL server, it could be exploited by an attacker running a rogue MySQL server to access any data that could be read by the client.

The issue ties with the LOAD DATA statement used with the LOCAL modifier. The LOAD DATA statement can load a file located on the server, and if the LOCAL keyword is used in the request, on the client host.

The transfer of the file from the client host to the MySQL server host is initiated by the server.

A client receives file-transfer requests from the MySQL server based on the information it provides in the LOAD DATA statement. A rogue server could send a LOAD DATA LOCAL statement to the client to get access to any file for which the client has read permission.

“In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement.” reads the official documentation.

“Such a server could access any file on the client host to which the client user has read access.”

Experts pointed out that the issue also affects web servers that acting as clients connect to a MySQL server. In this scenario, an attacker can trigger the vulnerability to steal sensitive files, including the /etc/passwd file.

An attacker can get access to a file by knowing its full path, the information that could be obtained using the “/proc/self/environ’ file, which provides the environment variable of the running process.

The attackers could exploit the flaw to steal cryptocurrency wallets and
SSH keys
,

According to the researchers Willem de Groot, the cybercrime gang known as Magecart exploited the flaw to inject into shopping sites software skimmer in the October 2018 attacks.

It is quite easy for attackers to set up a malicious server by using a code that has been available on GitHub for the past five years.

Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Attackers can abuse that to fetch passwords for popular apps such as Magento and WordPress, and gain control of a site’s database. ” reads a post published by de Groot.

“AFAIK this attack method has not been published before, but in hindsight I have observed it being used by different Magecart factions at least since October 2018 (although I didn’t understand what was going on back then). The vulnerability was subsequently used to inject payment skimmers on several high-profile stores (government & multinationals).”

de Groot speculate that a modified version of the rogue MySQL server is for sale on the dark web.

The expert noticed attackers using Adminer to send the contents of
‘local.xml’ that stores secret database password in Magento installs to the server under their control.

mySQL adminer-wireshark

“I have tested Adminer versions 4.3.1 up to 4.6.2 and found all to be vulnerable. Adminer 4.6.3 was released in June, 2018 and appears safe. It is unclear whether the security flaw was fixed deliberately or by accident, as Adminer does not mention a security release.” added the expert.

“I would recommend anyone running Adminer to upgrade to the latest version (4.7.0). Also, I urge anyone to protect their database tools via an additional password and/or IP filter.”

Pierluigi Paganini

(SecurityAffairs – MySQL server, hacking)

The post A flaw in MySQL could allow rogue servers to steal files from clients appeared first on Security Affairs.

The electronics firm Omron released a security update to address flaws in its CX-Supervisor product that can be exploited DoS attacks and remote code execution.

CX-Supervisor allows to rapidly create human-machine interfaces (HMIs) for supervisory control and data acquisition (SCADA) systems thanks to the availability of a large number of predefined functions and libraries. The software is widely adopted in multiple industries, mainly in the energy sector.

The vulnerabilities were reported through Trend Micro’s Zero Day Initiative (ZDI). by the security expert Esteban Ruiz of Source Incite. One of the vulnerabilities, tracked as CVE-2018-19027 received a “high” severity rating.

The CVE-2018-19027 flaw affects the CX-One products, the flaw was reported to the vendor on 2018-07-02 while it was publicly disclosed on 2019-01-14.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-One CX-Protocol. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reported the advisory published by ZDI.

“The specific flaw exists within the handling of PSW files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.”

CX-Supervisor Omron

The ICS-CERT published an advisory that includes details for all the vulnerabilities discovered by the expert, The addressed issues include a use-after-free, lack of proper validation for user-supplied input, and type confusion issues that can be exploited by attackers to execute arbitrary code on the vulnerable systems.

The “IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77″ could allow and attacker to inject commands to delete files and/or delete the contents of a file on the system by using a specially crafted project file. The exploitation of this bug, tracked as CVE-2018-19013 can cause a DoS condition, the issue has received a CVSS v3 base score of 5.0.

The vulnerabilities have been addressed with the release of version 3.5.0.11 of CX-Supervisor.
The ICS-CERT also suggest to upgrade development projects and save them in the new format, then rebuilt in the latest 3.5.0.11 format.

Pierluigi Paganini

CX-Supervisor, ICS (SecurityAffairs – CX-Supervisor, ICS)

The post Omron addressed multiple flaws in its CX-Supervisor product appeared first on Security Affairs.

An Iranian developer is promoting on a Telegram hacking channel the BlackRouter ransomware through a Ransomware-as-a-Service model.

An Iranian developer is advertising on Telegram a Ransomware-as-a-Service called BlackRouter. The same expert advertises other malware and is believed to the author of another ransomware called Blackheart.
promotes other infections such as a RAT.

BlackRouter was first observed in May 2018, at the time experts at TrendMicro discovered legitimate application AnyDesk bundled with the Ransomware.

According to Bleeping Computer, security researcher Petrovic discovered a new variant of the BlackRouter Ransomware in January, but the MalwareHunterTeam stated that only differences between this variant and previous ones were an improved GUI and the implementation of a timer.

blackrouter 2

A researcher that goes online with the handle A Shadow told BleepingComputer that the same ransomware was offered as a RaaS platform in a hacking channel on Telegram by an Iranian developer. 

The developer offers to its customers 80% of paid ransom payments, keeping for him the remaining 20%.

BlackRouter

At the time, the BlackRouter was not widespread, Bleeping Computer reports only one submission to ID Ransomware since December 31.

The ransomware was mainly distributed via RDP accesses or through fake cracks and downloads.

Pierluigi Paganini

(SecurityAffairs – ransomware-as-a-service, malware)

The post Iranian developer advertised BlackRouter RaaS appeared first on Security Affairs.

Unpatched critical flaw CVE-2018-15439 could be exploited by a remote, unauthenticated attacker to gain full control over the device.

Cisco Small Business Switch software is affected by a critical and unpatched vulnerability (CVE-2018-15439) that could be exploited by a remote, unauthenticated attacker to gain full control over the device.

Cisco Small Business Switch SOHO devices allow to manage small local area networks, they are widely adopted in cloud-based, managed and unmanaged “flavors.”

CVE-2018-15439 cisco soho

The flaw has received a critical base CVSS severity rating of 9.8, it ties the default configuration on the devices that includes a default, privileged user account.

This account was created for the initial login and cannot be deleted from the Cisco Small Business Switch devices.

“A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device.” reads the security advisory published by Cisco.

“The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.”

The advisory also includes a workaround that consists of disabling this account by adding at least one user account with access privilege set to level 15 in the device configuration.
Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing <strong_password> with a complex password chosen by the user,”

“However, if all user-configured privilege level 15 accounts are removed from the device configuration, an affected software release re-enables the default privileged user account without notifying administrators of the system.” continues the advisory.

“Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights.”

Experts pointed out that a successful exploit could allow a remote attacker to compromise the entire network.

The vulnerability affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.

The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant.

At the time there isn’t a patch to address the vulnerability, but likely Cisco will fix the flaw in the future.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting this vulnerability.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business Switch, CVE-2018-15439)

The post Unpatched Cisco critical flaw CVE-2018-15439 exposes small Business Networks to hack appeared first on Security Affairs.

Bulgaria has extradited a Russian hacker that was indicted by a US court for mounting a sophisticated hacking scheme to the United States.

According to the Russian embassy in Washington, the Russian hacker Alexander Zhukov was extradited on January 18. The Russian embassy has chosen to disclose the news on the VK social network, the Russian version of Facebook. The hacker is currently held in a jail in Brooklyn, New York.

“Employees of the Consulate General in New York will visit him in jail soon,” the embassy said.

Zhukov is accused of being involved in a sophisticated ad fraud scheme that leverages advertising and malware to compromise computer networks.

In November, law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice indicted 8 individuals from Russia, Kazakhstan, and Ukraine, one of them is Zhukov.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

Zhukov 3ve campaigns

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts, fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

Zhukov, aka Nastra, was arrested in Bulgaria, where he had lived since 2010, in November.

According to Kommersant newspaper, which claims to have spoken with a friend of Zhukov, the hacker stood out on the dark web for the selective way he chose his jobs, staying away from credit-card theft or child pornography.” reported the AFP.

“Zhukov was earning about $20,000 per month on his fake ad-view contracts, but was exposed after a conflict with his US client, Kommersant said.”

Pierluigi Paganini

(SecurityAffairs – Zhukov, ad fraud)

The post Russian hacker Alexander Zhukov extradited by Bulgaria to US appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.